Contact sales Request a demo Request a demo

DATA PROCESSING AGREEMENT

Revised October 2024

This Data Processing Agreement (“DPA”) is incorporated into the agreement between PandaDoc, Inc. (“PandaDoc”) and Customer that governs Customer’s use of PandaDoc’s Services (the “Agreement”).All capitalized terms not defined herein shall have the meaning set forth in the Agreement. This DPA is effective as of the effective date of the Agreement (the “Effective Date”).

 

1. DEFINITIONS

 

       “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the applicable party to this Agreement, where “control,” means direct or indirect ownership of or authority to direct more than 50% of the voting interests of the subject entity.

 

       “Applicable Privacy Laws ” means all applicable privacy laws and regulations that apply to PandaDoc’s Processing of Personal Data under the Agreement 

 

       “Controller” shall have the meanings given to them under Applicable Privacy Laws.

 

       “California Personal Information” means Personal Data that is subject to the protection of the CCPA.

 

       “Customer Content” means all data and information provided by Customer, its Affiliates and its Users to PandaDoc in relation to PandaDoc’s provision of products and/or services including, without limitation, any text, files, pictures, video, images, audio material, graphics, documents, links and profile information. “Customer Content” does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer ContentPandaDoc.

 

       “Data Subject” means the identified or identifiable person to whom Personal Data relates.

 

       “EEA” means the European Economic Area and/or their member states, Switzerland and the United Kingdom.

 

       “Personal Data” means any information that relates to an identified or identifiable natural person or to an identified or identifiable legal entity, to the extent that such information is protected as personal data or personally identifiable information under Applicable Privacy Laws and such data submitted is Customer Content. “Personal Data” as used herein only applies to Personal Data for which PandaDoc is a Processor.

 

       “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

       “Processor” shall have the meanings given to them under Applicable Privacy and Applicable Privacy Laws.

 

       “PandaDoc Inc.” means PandaDoc, Inc., a corporation incorporated in Delaware.

 

       “PandaDoc” means, collectively, PandaDoc Inc. and its Affiliates engaged in the Processing of Personal Data.

 

       Restricted Transfermeans: (i) where the GDPR applies, a transfer of Personal Data originating from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data originating from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss Data Protection Act applies, a transfer of Personal Data originating from Switzerland to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.  

 

       “Security Practices” means PandaDoc’s “Security Practices Datasheet”, as updated from time to time, and currently accessible athttps://www.PandaDoc.com/legal/security-practices/

 

       “Standard Contractual Clauses” or “SCCs” (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council, (the “EU SCCs”) and which are hereby incorporated into this DPA; (ii) where the UK GDPR applies, the International Transfer Addendum or Addendum to the EU SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 (“International Data Transfer Addendum“) and which is hereby incorporated into this DPA; and (iii) where the Swiss Data Protection Act applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs“), in each case as completed as described in Section 11 below.  For the purposes of the EU SCCs and the International Transfer Addendum, if applicable, (a) Customer shall be the ‘data exporter and PandaDoc the ‘data importer’.  

 

       “Sub-processor” means any entity engaged by PandaDoc and/or its Affiliates to Process Personal Data in connection with PandaDoc’s products and/or services.

 

       Supervisory Authority” means an independent public authority which is established by an EU

Member State pursuant to the GDPR for the EU; the Information Commissioner’s Office (‘ICO’) in the United Kingdom; or the Federal Data Protection and Information Commissioner (FDPIC) in Switzerland; the National Data Protection Authority (ANPD) in Brazil or the Privacy Commissioner of Canada in Canada

 

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and PandaDoc is the Processor. PandaDoc may engage Subprocessors pursuant to the requirements set forth in Article 4 “Subprocessors” below to Process such Personal Data.

 

2.2. Customer’s Responsibilities. Customer shall have sole responsibility for the accuracy and quality of Personal Data, the means by which Customer acquired such Personal Data and ensure compliance with laws as it relates to the foregoing.Customer acknowledges that it is responsible for properly implementing access and use controls and configuring certain features and functionalities that Customer may elect to use and that it will do so in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data. PandaDoc will be entitled to rely solely on Customer’s instructions relating to Personal Data Processed by PandaDoc. 

 

2.3. PandaDoc’s Processing of Personal Data. With respect to Personal Data Processed by PandaDoc as Customer’s Processor, PandaDoc shall only Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and Order(s); (ii) Processing initiated by authorized users in their use of PandaDoc’s products and/or services; and (iii) Processing to comply with other reasonable written instructions provided by Customer (e.g., via email or support tickets) (individually and collectively, the “Purpose”). PandaDoc shall not disclose Personal Data to third parties except: (i) to employees, service providers, or advisers who have a need to know the Personal Data and are under confidentiality obligations at least as restrictive as those described under this DPA, or (ii) as required to comply with valid legal process in accordance with the terms of the Agreement. If PandaDoc has reason to believe Customer’s instructions infringe Applicable Privacy provisions, then PandaDoc will promptly notify Customer. Customer acknowledges and agrees that PandaDoc collects cumulative, anonymized data and analytics pertaining to its customers including without limitation Customer (“Unidentifiable Data”), and, provided that such Unidentifiable Data Subject is and will remain unidentifiable, the data is not subject to the deletion requirement set forthin Paragraph 7 (“Return and Deletion of Client Data”) herein.  PandaDoc is not responsible for compliance with any Applicable Privacy Laws applicable to Customer or Customer’s industry.

 

2.4. Details of the Processing. PandaDoc agrees that it will Process the Personal Data in relation to the Purpose and the provision of PandaDoc’s products and/or services. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit 3 attached hereto and incorporated herein.

 

3.RIGHTS OF DATA SUBJECTS & DATA SUBJECT REQUESTS

3.1.PandaDoc shall, to the extent legally permitted, promptly notify Customer if PandaDoc receives any requests from a Data Subject to exercise the following Data Subject rights: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”). Taking into account the nature of the Processing, PandaDoc shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Applicable Privacy Laws. In addition, to the extent Customer, in its use of PandaDoc’s products and/or services, does not have the ability to address a Data Subject Request, PandaDoc shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent PandaDoc is legally permitted to do so and the response to such Data Subject Request is required under Applicable Privacy Laws. PandaDoc

 

4.SUBPROCESSORS

4.1. Appointment of Subprocessors. Customer acknowledges and agrees that (a) PandaDoc’s Affiliates may be retained as Subprocessors; and (b) PandaDoc and PandaDoc’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the products and/or services. As a condition to permitting a third-party Sub-processor to Process Personal Data, PandaDoc or a PandaDoc Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor. Customer acknowledges that PandaDoc is located in the United States and provides PandaDoc’s products and/or services to Customer. Customer agrees to enter into the SCCs and acknowledges that Subprocessors may be appointed by PandaDoc in accordance with Clause 9 of the SCCs incorporated herein.

4.2. List of Current Subprocessors and Notification of New Subprocessors. The current list of Subprocessors PandaDoc uses to provide the products and/or services, including the identities of those Subprocessors and their country of location, is accessible at http:/www.PandaDoc.com/GDPR/subprocessors (“Sub-processor List”) which may be updated by PandaDoc from time to time, but not less than annually when applicable, upon advance written notice to Customer.  

4.3. Objection Right for New Subprocessors. Customer may reasonably object to PandaDoc’s use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate Applicable Privacy Laws or weaken the protections for such Personal Data) by notifying PandaDoc promptly in writing within 30 business days after Customer becomes aware of such change. Such notice shall include the date the Customer became aware of the new Sub-processor and explain the reasonable grounds for the objection. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, PandaDoc will use commercially reasonable efforts to make available to Customer a change in PandaDoc’s products and/or services or recommend a commercially reasonable change to Customer’s configuration or use of PandaDoc’s products and/or services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If PandaDoc is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days from the date PandaDoc receives written notice from Customer, either party may terminate without penalty the applicable Order(s) with respect only to those PandaDoc’s products and/or services which cannot be provided by PandaDoc without the use of the objected-to new Sub-processor by providing written notice to the other party advising of such termination. PandaDoc will refund to Customer any prepaid fees covering the remainder of the term of such Order(s) following the effective date of termination with respect to such terminated PandaDoc products and/or services, without imposing a penalty for such termination on Customer.

4.4. PandaDoc Liability for Subprocessors. PandaDoc is responsible for its Subprocessors acts and omissions in relation to PandaDoc’s obligations under this DPA.

 

5. SECURITY

5.1. Controls for the Protection of Customer Content. PandaDoc shall maintain appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Customer Content, as set forth in the Security Practices located at https://www.PandaDoc.com/legal/security-practices/

5.2. Third-Party Certifications and Audits. PandaDoc has obtained the third-party certifications and audits set forth in the Security Practices. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, PandaDoc shall make available to Customer (or Customer’s independent, third-party auditor) PandaDocthe third-party certifications and set forth in the Security Practices. Customer may contact PandaDoc in accordance with the “Notices” Section of the Agreement to request an audit of PandaDoc’s procedures relevant to the protection of Personal Data, but only to the extent required under Applicable Privacy Laws and Customer shall not disrupt PandaDoc’s business operations during the performance of such audit. Before the commencement of any such audit, Customer and PandaDoc shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify PandaDoc with information regarding any non-compliance discovered during the course of an audit, and PandaDoc shall use commercially reasonable efforts to address any confirmed non-compliance.

 

6. CUSTOMER CONTENT INCIDENT MANAGEMENT AND NOTIFICATION

       PandaDoc shall maintain commercially reasonable security incident management policies and procedures specified in the Security Practices. PandaDoc shall notify Customer without undue delay, but in no event more than forty-eight (48) hours, after discovery of any breach relating to Personal Data (within the meaning of which may require a notification to be made to a Supervisory Authority or Data Subject under Applicable Privacy Laws or which PandaDoc is required to notify to Customer under Applicable Privacy Laws (a “Customer Content Incident”). Taking into account the nature of Processing and the information available to PandaDoc and in accordance with the Agreement, PandaDoc shall provide commercially reasonable cooperation and assistance in identifying the cause of such Customer Content Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within PandaDoc’s control. The obligations herein shall not apply to incidents that are caused by Customer, Customer’s authorized users and/or any non-PandaDoc products and/or services.

 

7.RETURN AND DELETION OF CUSTOMER CONTENT

       Upon termination of the Agreement and/or Order pursuant to which PandaDoc is Processing Personal Data, PandaDoc shall, upon Customer’s request, and subject to the limitations described in the Agreement and the Security Practices, return all Customer Content and copies of such data to Customer or securely destroy them and reasonably demonstrate to the Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Customer Content. PandaDoc agrees to preserve the confidentiality of any retained Customer Content for the duration of the Agreement only and will only actively Process such Customer Content after such date if agreed to by the parties or to otherwise comply with applicable laws. This Section 7 shall not apply to Unidentifiable Data, as defined herein.

 

8. PANDADOC PERSONNEL

       8.1. Confidentiality. PandaDoc shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. PandaDoc shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

       8.2. Reliability. PandaDoc shall take commercially reasonable steps to ensure the reliability of any PandaDoc personnel engaged in the Processing of Personal Data.

       8.3. Limitation of Access. PandaDoc shall ensure that PandaDoc’s access to Personal Data is limited to those personnel performing services in accordance with the Agreement.

       8.4. Data Protection Officer/Responsible Party. PandaDoc has a data protection officer or individual responsible for its data protection in the United States, EU and UK that are collectively reached at privacyteam@PandaDoc.com

8.5.PandaDoc has a data protection officer or individual responsible for its data protection in the United States, EU and UK that are collectively reached at privacyteam@PandaDoc.com.

 

9.LIMITATION OF LIABILITY
Each party’s liability under this DPA is subject to the limitations of liability described in the Agreement.DPIA & TRANSFER MECHANISMS

PandaDoc will Process Personal Data in accordance with the Applicable Privacy Laws requirements directly applicable to the provisioning of PandaDoc’s products and services.

9.1. Data Protection Impact Assessment. Upon Customer’s request, PandaDoc shall provide Customer with reasonable cooperation and assistance (at Customer’s expense) needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of PandaDoc’s products and/or services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to PandaDoc. PandaDoc shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR.

9.2. Transfer Mechanisms. 

PandaDoc shall (and shall procure that any Subprocessor shall) not nor permit  Process or transfer (directly or via onward transfer) any Customer Content in or to a territory other than the territory in which the Customer Content was first collected (unless: (i) it has first obtained Customer’s prior written consent and (ii) it takes all such measures as are necessary to ensure such Processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by Customer to PandaDoc).  Without prejudice to the foregoing, the Parties agree that when a transfer of Customer Content by Customer (as data exporter) to PandaDoc (as data importer) under this DPA is a Restricted Transfer, PandaDoc shall be bound by the SCCs, which shall be deemed incorporated into this DPA as follows:  

 

       9.2.1. In relation to transfers of Personal Data protected by the GDPR, the EU SCCs will apply completed as follows:

       9.2.2. Where Customer is a controller of the Personal Data, Module Two (controller to processor transfers) shall apply;

       9.2.3. In Clause 7, the optional docking clause will apply;

       9.2.4. In Clause 9, Option 2 will apply, and the time period for prior notice of Subprocessor changes shall be as set out in Section 4 of this Agreement;

       9.2.5. In Clause 11, the optional language will not apply;

       9.2.6. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

       9.2.7. In Clause 18(b), disputes shall be resolved before the courts of Ireland; and

       9.2.8. Annex I and II of the EU SCCs shall be deemed completed with the information set out in Exhibit 1 of this DPA;

 

          9.2.8.1 In relation to transfers of Personal Data protected by the UK GDPR, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:

            9.2.8.1.1. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the UK GDPR; references to specific Articles of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK GDPR

            9.2.8.1.2. references to “EU”, “Union” and “Member State law” are all replaced with “UK”; Clause 13(a) and Part C of Annex I of the EU SCCs are not used; references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the Information Commissioner and the courts of England and Wales;

            9.2.8.1.3. Clause 17 of the EU SCCs is replaced to state that “The Clauses are governed by the laws of England and Wales” and Clause 18 of the EU SCCs is replaced to state “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts;”

            9.2.8.1.4. The International Transfer Addendum is set forth at Exhibit 2 to this DPA, if applicable,

unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the UK GDPR, in which event the UK SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the UK SCCs shall be populated using the information contained in Exhibits 1-2 of this DPA (as applicable).

 

          9.2.8.2. In relation to transfers of Personal Data protected by the FAPD, the EU SCCs will also apply to such transfers in accordance with Section 11.2.1.1 above, with the following modifications:

            9.2.8.2.1. any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Data Protection Act;

            9.2.8.2.2. references to “EU”, “Union”, “Member State” and “Member State law” shall be interpreted as references to Switzerland and Swiss law, as the case may be; and

            9.2.8.2.3. references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the FDIPC and competent courts in Switzerland,

unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss Data Protection Act, in which event the Swiss SCCs shall instead be incorporated by reference and form an integral part of this DPA and shall apply to such transfers. Where this is the case, the relevant Annexes or Appendices of the Swiss SCCs shall be populated using the information contained in Exhibit 1 of this DPA (as applicable).

Where the Processing involves the transfer of Customer Content subject to the LGPD and where such Customer Content is transferred either directly or via onward transfer to countries that do not ensure an adequate level of protection within the meaning of the LGPD, PandaDoc agrees to process such Customer Content in compliance with LGPD and any other relevant Brazilian laws.

 

10.ADDITIONAL PROVISIONS FOR CALIFORNIA PERSONAL INFORMATION

10.1. When processing California Personal Information (as defined in the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100 “CPRA”) in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is a Business and PandaDoc is a Service Provider for the purposes of the CPRA. PandaDoc shall process California Personal Information solely for a valid business purpose to perform the Services.

10.2. PandaDoc understands and agrees to the prohibition from: (i) selling or sharing of California Personal Information that it processes on behalf of the Customer; (ii) retaining, using, or disclosing California Personal Information for a commercial purpose other than providing the Services or otherwise permitted by CCPA; (iii) retaining, using, or disclosing California Personal Information outside of the Agreement between PandaDoc and Customer, (iv) retaining, using, or disclosing the personal information for any purpose outside those specified in the contract or outside the direct business-service provider relationship; and (v) combining the personal information received from or on behalf of the business with personal information the service provider received elsewhere, unless specific statutory or regulatory exceptions apply.

 

11.VENUE

This DPA and any dispute or claim arising out of and/or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the legal system of Ireland under GDPR for the EU and in accordance with the Terms of the Agreement for all other venues.

 

12.MISCELLANEOUS

The parties agree that this DPA and, if applicable, the Standard Contractual Clauses, shall terminate automatically upon (i) termination of the Agreement; or (ii) if applicable, the expiration or termination of all Orders or similar contract documents entered into by PandaDoc with Customer pursuant to the Agreement, whichever is later. Any obligation imposed on either party under this DPA in relation to the Processing of Personal Data that would reasonably be interpreted to survive any termination or expiration of this DPA, shall survive. Customer may notify PandaDoc in writing from time to time of any variations to this DPA which are required as a result of a change in Applicable Privacy Laws. Any such required variations shall take effect on the date falling 45 (forty-five) calendar days after the date such written notice is received and PandaDoc shall procure that, where necessary, the terms in each contract between PandaDoc or any PandaDoc Affiliate and each Sub-processor are amended to incorporate such variations within the same time period. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

13.ORDER OF PRECEDENCE. In the event of any conflict or inconsistencies between this DPA and any other written agreement between the parties (including the Agreement), this DPA shall prevail. In the event of conflict between the SCCs and this DPA, the SCCs shall prevail

 

List of Exhibit(s) attached and incorporated:

Exhibit 1: Annexes 1 -3 to the SCCs

Exhibit 2: UK International Data Transfer Addendum 

 

 

EXHIBIT 1 TO THE DATA PROCESSING AGREEMENT

 

ANNEX 1-3 OF THE SCCS

 

This Exhibit 3 forms part of the DPA. Capitalized terms not defined in this Exhibit 3 have the meaning set forth in the DPA.

 

SCCs ANNEX I

 

A.LIST OF PARTIES

 

     Data Exporter:

 

     1. Name: Customer

 

       Address: Customer’s billing address on file with PandaDoc.

 

       Contact person’s name, position and contact details: Customer’s account owner information provided at the time of purchasing PandaDoc Services.

 

       Relevant Activities: As set forth below and in accordance with the Agreement.

 

       Signature & Date: By entering into this DPA, Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date.

 

     Data Importer:

 

     2. PandaDoc, Inc.

     548 Market St PMB 185308, San Francisco, CA, 94104

     Email: privacyteam@PandaDoc.com

 

     Relevant Activities: As set forth in Exhibit 2, the Agreement, and any applicable Order or SOW.

 

     Signature & Date: By entering into this DPA, Data Exporter is deemed to have signed these SCCs incorporated herein, including their Annexes, as of the Effective Date.

 

B.DESCRIPTION OF TRANSFER

 

  1.Categories of data subjects whose personal data is transferred:

 

       The authorized representative(s) of the organization using PandaDoc and Customer’s end-user, if applicable.

 

  2.Categories of personal data transferred:

 

a. Customer and Customer’s end-user (if applicable):

       i. Contact details: Name (First & Last), Email Address, Phone Number, Company Name, Job Role, IP address, geolocation information, log-in and password 

       ii. Billing details: Name (First & Last), Email Address, Address, Country, State, City, Zip code, Credit Card information

       iii. Other details: demographic information, usage data including the amount of time spent on particular pages and the number of times a document is viewed, names and email addresses of parties to a transaction, subject line, history of actions individuals take related to a transaction (ie sign and forward features) and personal information about those individuals or their devices, such as name, IP address, email address and other authentication methods.

 

b. Customer’s Employees:

       i. Contact Details: Name (First & Last), Email Address

 

  3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitations, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

 

Data exporter shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to data importer for processing

 

  4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

 

Personal data may be transferred one-off or continuous basis at the option of the authorized user.

 

  5.Nature of the processing. Please select from the following and/or add The following list shall act as the default in response to this, if no selection is made.

 

     a. Adaption or alteration

     b. Collection

     c. Consultation

     d. Destruction

     e. Disclosure by transmission

     f. Dissemination 

     g. Erasure 

     h. Organization

     i. Recording 

     j. Retrieval 

     k. Storage

     l. Structuring

     m. Use

 

  6.Purpose(s) of the data transfer and further processing

 

The purpose of the data transfer is to further the contract (Agreement) and for the person seeking to evaluate the PandaDoc service.

 

  7.The period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period.

 

For the duration of the Agreement and the provision of services as outlined in such Agreement or Order.

 

  8.For transfers to (sub-) processors, also specific subject matter, nature and duration of the processing: 

 

As set forth at Annex III.

 

C.COMPETENT SUPERVISORY AUTHORITY

 

Data Protection Commission (Ireland)

 

SCCs ANNEX II

 

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

As set forth at https://www.PandaDoc.com/legal/security-practices/.

 

 

 

SCCs ANNEX III

LIST OF SUBPROCESSORS – EU Servers/Data Residency

As set forth at https://www.PandaDoc.com/gdpr/subprocessors/

 

 

 

 

EXHIBIT 2  – UK INTERNATIONAL DATA TRANSFER ADDENDUM

 

This Exhibit 2 forms part of the DPA.

 

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

 

VERSION B1.0, in force 21 March 2022

 

This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

 

Part 1: Tables

 

Table 1: Parties

Start dateEffective Date of the Agreement
The PartiesExporter (who sends the Restricted Transfer)Importer (who receives the Restricted Transfer)
Parties’ detailsFull legal name: As set forth in the DPA

Trading name (if different):_____

Main address (if a company registered address): As set forth in the DPA

Official registration number (if any) (company number or similar identifier): _____

Full legal name: PandaDoc, Inc. 

Trading name (if different): n/a

Main address (if a company registered address): 3739 Balboa Street #1083, San Francisco, CA 94121, United States.

Official registration number (if any) (company number or similar identifier): 3739 Balboa Street #1083, San Francisco, CA 94121, United States. 

Key ContactFull Name (optional): As set forth in Exhibit 2 of this DPA

Job Title: As set forth in Exhibit 2 of this DPA 

Contact details including email: As set forth in Exhibit 2 of this DPA 

Full Name (optional): Bibek Bhattarai

Job Title: VP, Controller

Contact details including email: privacyteam@PandaDoc.com

Signature (if required for the purposes of Section ‎2)

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date:  Effective Date of this DPA
Reference (if any): n/a
Other identifier (if any):  n/a     

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: PandaDoc and Customer
Annex 1B: Description of Transfer: As detailed in Annex I of the SCCs, detailed in Table 2
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As detailed in Annex II of the SCCs, detailed in Table 2.
Annex III: List of Sub processors (Modules 2 and 3 only): As detailed in Exhibit 1 of the DPA and noted on Appendix III of the SCCs, detailed in Table 2.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changesWhich Parties may end this Addendum:
☒ Importer
☒ Exporter
☐ neither Party

Alternative Part 2 Mandatory Clauses:

Mandatory ClausesPart 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.