Sparrow Data Processing Addendum

Posted December 22, 2022

1. Definitions

2. Processing of Customer Personal Data

3. Confidentiality and Security

4. Sub-Processing

5. Data Subject Rights

6. Personal Data Breaches

7. Data Protection Impact Assessment; Consultation

8. Deletion of Customer Personal Data

9. Audits and Information

10. Analytics Data

11. Liability

12. Cross-Border Transfers of Customer Personal Data

13. General Provisions

This Data Processing Addendum (including all Schedules attached hereto, the “DPA”) is incorporated into, and is subject to the Sparrow agreement that governs the use of the Sparrow service (the “Agreement”) between TrySparrow.com, Inc. (“Sparrow” or “Company”) and the entity identified as “Customer” in the Agreement (“Customer”). This DPA applies where Company’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.

1. Definitions

2. Processing of Customer Personal Data

3. Confidentiality and Security

4. Sub-Processing

5. Data Subject Rights

Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Company receives any Requests during the term, Company will advise the Data Subject to submit the request directly to Customer. Company will provide Customer with reasonable assistance to permit Customer to respond to Requests. Where necessary, Customer shall inform Company of any other Requests that Company must comply with, and provide the information necessary for Company to comply with the request.

6. Personal Data Breaches

Company will notify Customer without undue delay after it becomes aware of any Personal Data Breach affecting any Customer Personal Data to the extent legally permissible. At Customer’s request, Company will promptly provide the Customer with reasonable assistance necessary to enable Customer to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breach. Company’s notice of or response to a Personal Data Breach under this Section 6 will not be an acknowledgement or admission by Company or any fault or liability with respect to the Personal Data Breach.

7. Data Protection Impact Assessment; Consultation

Company will provide Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if Customer is required to engage in such activities under applicable Data Protection Laws, and solely to the extent that such assistance is necessary and relates to the Processing by Company of the Customer Personal Data, taking into account the nature of the Processing and the information available to Company.

8. Deletion of Customer Personal Data

Customer may instruct Company to delete Customer Personal Data within 90 days of the termination of the Agreement and delete existing copies unless applicable law requires otherwise. Notwithstanding the foregoing, Company may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Company maintains the confidentiality of all such Customer Personal Data and Processes such Company Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.

9. Audits and Information

10. Analytics Data

Customer acknowledges and agrees that Company may create and derive from Processing related to the Service anonymized and/or aggregated data that does not identify Customer or any Data Subject (“Analytics Data”), and use, publicize or share with third parties such Analytics Data to improve the Service and for Company’s other legitimate business purposes.

11. Liability

12. Cross-Border Transfers of Customer Personal Data

The Service to be performed by Company only applies to individuals located in the United States and Canada. The Service may be performed by Company to individuals outside of the United States and Canada only to the extent agreed upon by the parties in writing.

13. General Provisions

With regard to the subject matter of this DPA, in the event of a conflict between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. This DPA may not be modified except by an amendment signed by both parties. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Learn how Sparrow can
transform leave

Book a Demo