Effective Date: September 27, 2021
This Squarespace Data Processing Addendum (this "DPA") forms part of, and is subject to the provisions of, the Squarespace Terms of Service. Capitalized terms that are not defined in this DPA have the meanings set forth in the Terms of Service.
1. Additional Definitions.
The following definitions apply solely to this DPA:
a. the terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in EU Data Protection Law.
b. “Breach” means a breach of the Security Measures resulting in access to Squarespace’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by Squarespace on your behalf and instructions through the Services.
c. “Content” means your User Content and any content provided to us from your End Users, including without limitation text, photos, images, audio, video, code, and any other materials.
d. “EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland, the United Kingdom or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
e. “GDPR” means the EU General Data Protection Regulation 2016/679.References to GDPR and its provisions include the GDPR as amended and/or incorporated into UK law.
f. “Security Measures” means the technical and organizational security measures set outhere.
g.“Sub-Processor” means an entity engaged by Squarespace to process Your Controlled Data.
h. “Your Controlled Data” means the personal data in the Content Squarespace processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to Your Site) with respect to your End Users’ interactions with Your Site through their browser and technologies like cookies.
This DPA only applies to you if you or your End Users are data subjects located within the EEA, United Kingdom or Switzerland and only applies in respect of Your Controlled Data. You agree that Squarespace is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
3. Details of Data Processing.
3.1Subject Matter.The subject matter of the data processing under this DPA is Your Controlled Data.
3.2Duration.As between you and us, the duration of the data processing under this DPA is determined by you.
3.3Purpose.The purpose of the data processing under this DPA is the provision of the Services initiated by you from time to time.
3.4Nature of the Processing.The Services as described in the Agreement and initiated by you from time to time.
3.5Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through the Services.
3.6Categories of Data Subjects.You, Your End Users and any other individuals whose personal data is included in Content.
4. Processing Roles and Activities.
4.1Squarespace as Processor and You as Controller.You are the controller and Squarespace is the processor of Your Controlled Data.
4.3Description of Processing Activities.We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified through the Services (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on Your Site; or (b) email your End Users on your behalf.
4.4Compliance with Laws.You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this DPA. Squarespace will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
5. Our Processing Responsibilities.
5.1How We Process.We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through the Services. You agree that the Agreement and the instructions given through the Services are your complete and final documented instructions to us in relation to Your Controlled Data. Additional instructions outside the scope of this DPA require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
5.2Notification of Breach.We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under EU Data Protection Law. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by Squarespace of any fault or liability of Squarespace with respect to the Breach. Despite the foregoing, Squarespace’s obligations under this Section do not apply to incidents that are caused by you, any activity on your Account(s) and/or Third-Party Services.
5.3Notification of Inquiry or Complaint.We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data.
5.4Reasonable Assistance with Compliance.We will, to the extent that you cannot reasonably do so through the Services or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
5.5Security Measures and Safeguards.We will maintain the Security Measuresand the safeguardsset out here. We may change or update the Security Measures or safeguards but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5.6Sub-Processors.You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this DPA, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email email@example.com. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email firstname.lastname@example.org. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate the Servicesor, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.6. Except as set forth in this Section 5.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data.Please note that if you are a Non-US User, Squarespace, Inc. is one of our Sub-Processors.Squarespace will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause Squarespace to breach any of Squarespace’s obligations under this DPA, solely to the extent that Squarespace would be liable under the Agreement if the act or omission was Squarespace’s own.
5.7Squarespace Audits.Squarespace may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.
5.8Customer Audits and Information Requests.You agree to exercise any right you may have to conduct an audit or inspection by instructing Squarespace to carry out the audit described in Section 5.7. You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If Squarespace does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with EU Data Protection Law by means other than reviewing a report from such an audit, you may only request a change in the following way:
a. First, submit a request for additional information in writing to Squarespace, specifying all details required to enable Squarespace to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures.
b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Squarespace to verify Squarespace’s compliance with the Security Measures in order to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Squarespace to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Squarespace or our users’ information.
You will pay our costs in considering and addressing any Request. Any information and documentation provided by Squarespace or its auditors pursuant to this Section 5.8 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.
5.9Questions.Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this DPA, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by Squarespace under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to Squarespace, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with Squarespace before we share any such information with you.
5.10Requests. You can delete or access a copy of some of Your Controlled Data through the Services. For any of Your Controlled Data which may not be deleted or accessed through the Services, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which we maintain in order to comply with applicable law or as otherwise set forth in the Agreement). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy.
6. Data Transfers.
6.1 Taking into account, in particular, the Security Measures and safeguards provided for in this DPAand the specific circumstances, you authorise Squarespaceto transfer Your Controlled Data away from the country in which such data was originally collected toother countries globally in which Squarespace or anysub-processors operate, including in particular, to the US.
6.2 Unless suchtransferis otherwise permitted under EU Data Protection Law,transfers to a subprocessor in any country not recognized under EU Data Protection Law as providing an adequate level of protection forYour Controlled Data shall proceed pursuant to (a) the processor to processor (module 3) standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR and approved by the European Commission decision 2021/914, dated 4 June 2021; or (b) such other standard contractual clauses for the transfer of personal data to third countries that are recognised under the applicable EU Data Protection Law in the EEA, UK or Switzerland. In order to facilitate an efficient and coordinated service, all communication with Squarespace and any subprocessor (including Squarespace, Inc.) in connection with such standard contractual clauses will, to the extent possible, be coordinated and directed through Squarespace Ireland Limited.
6.3Any European Commission standard contractual clauses between you and Squarespace, Inc. in respect of Your Controlled Data that were put in place pursuant to a previous version of this DPA are terminated with effect from 27 September 2021. You agree that Your Controlled Data transferred pursuant to the terminated standard contractual clauses shall not be destroyed or returned due to such termination, but instead, shall continue to be processed in accordance with and subject to the terms of this DPA and as if transferred pursuant to the standard contractual clauses identified in Section 6.2.
The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by Squarespace Ireland or Squarespace, Inc. in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under the Agreement, this DPA or EU Data Protection Law shall reduce as applicable, Squarespace Ireland’s and/or Squarespace, Inc.'s maximum aggregate liability to you in the same amount as such regulatory penalties, claims and/or liability incurred by us as a result.
In the event of a conflict between this DPA and the Terms of Service, this DPA will control.
You are responsible for any costs and expenses arising from Squarespace Ireland’s and Squarespace, Inc.'s compliance with your instructions or requests pursuant to the Agreement (including this DPA) which fall outside the standard functionality made available generally through the Services.
If you're running a business that works with user's data, then you need a Data Processing Addendum. Having a Data Processing Addendum will help your business in a legal dispute if a third-party try to misuse your user's data.
Squarespace collects personal data when you visit this website, including: Information about your browser, network and device. Web pages you visited prior to coming to this website. Web pages you view while on this website.
Generally, you need a DPA whenever you rely on the qualifications and resources of third-party expertise to carry out your data processing. For comprehensive protection, the GDPR clearly defines the mandatory information for any DPA. Numerous aspects have to be covered.
The main purpose of a Data Processing Addendum (DPA) is to protect the user's data in compliance with the GDPR or any other Privacy Laws. For example, you have a business that operates through a website and collects the information of the visitors visiting your website.
How Squarespace Protects and Processes Your Data. Squarespace website traffic is encrypted via SSL providing a secure end to end connection for you and your visitors. SSL prevents hackers from impersonating your site or stealing information that customers submit, like an email address or a credit card number.
Squarespace analytics is our reporting platform that gives you insight into how your site is performing. With analytics, you can get a clear picture of your visitors and their behavior through visual reports on statistics like pageviews, conversion, sales, referrers, and bounce rate.
Squarespace uses some necessary cookies so visitors can navigate and use key features on your site. These cookies vary from site to site depending on the features it uses. For example, functional and required cookies help these features work: Customer accounts.
Your privacy statement must accurately reflect your site's data collection and use. Your privacy statement should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum. If you decide to modify how you use personal information, you must inform your users.
Also, you need to be at least 16 years old to use Squarespace.
How to easily create a privacy & terms policy for your Squarespace website
When do I need a DPA? Organizations leveraging data on EU residents need a GDPR data processing agreement any time they hire a third party to process that data. For companies which do not engage with EU user data, a DPA can still prove useful for outlining the terms of business with external data processors.
Data Protection Addendum means to the extent applicable, an agreement annexed hereto between Ntrepid and Customer that establishes the circumstances under which Ntrepid, as a Service Provider, may Process Personal Data of Customer in accordance with applicable data privacy and data protection laws.
This Data Privacy Addendum (“DPA”) relates to the processing by Ping Identity Corporation (“Ping Identity”) of Personal Data (as defined below) provided by the company or entity that is party (“Customer”) to the applicable subscription or license agreement and ordering documentation between Customer and Ping Identity ( ...
- Step 1: identify the need for a DPIA.
- Step 2: describe the processing.
- Step 3: consider consultation.
- Step 4: assess necessity and proportionality.
- Step 5: identify and assess risks.
- Step 6: identify measures to mitigate the risks.
- Step 7: sign off and record outcomes.