Data Processing Addendum

Attachment

Last Updated: 21June2024

This Data Processing Addendum (“DPA”) is made by and between Unified Calling and Customer (each a “Party“, together the “Parties“), and is supplemental to the agreement executed between the Parties to which it is attached (“Agreement”) for the provision of the Services to Customer. 

Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.

1. Definitions

1.1 For the purposes of this DPA:

(a) “Affiliate” means a person or entity that is controlled by a Party hereto, controls a Party hereto, or is under common control with a Party hereto, and “control” means beneficial ownership of greater than fifty percent (50%) of an entity’s then-outstanding voting securities or ownership interests. 

(b) “Agreement” means the main written or electronic agreement between Customer and Unified Calling for the provision of any of the Unified Calling Services. 

(c) “Applicable Data Protection Laws” means all data protection and privacy laws applicable to Unified Calling in the processing of Personal Data under this DPA.

(d) “Controller” shall have the same meaning under Applicable Data Protection Law. 

(e) “Customer Personal Data” means any Personal Data that Unified Calling processes as a Processor under the Agreement. 

(f) “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law. 

(g) “Processor” shall have the same meaning under Applicable Data Protection Law.

(h) “Security Incident” means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data that compromises the privacy, security, or confidentiality of such Personal Data.

(i) “Services” means the Unified Calling services as described in Annex I.

2. Scope of DPA

2.1 This DPA will apply to the extent that Unified Calling processes Customer Personal Data on behalf of a Customer as a Processor,  where such processing is further detailed in Annex 1. Any processing of Personal Data as a Controller by Unified Calling is out of scope of this DPA.

3. Roles and Responsibilities

3.1 Parties’ Roles

As between the Parties and for the purposes of this DPA, Customer shall be the Controller of the Customer Personal Data processed by Unified Calling under the Agreement as a Processor. Unified Calling will comply with the obligations of a Controller to the extent it processes Personal Data as a Controller for Unified Calling’s legitimate business purposes, including as necessary for the operation of the Services, and as necessary to comply with applicable law.

3.2 Obligations of the Customer. Customer undertakes to:

(a) Ensure that it may lawfully disclose the Customer Personal Data to Unified Calling for the purposes set out in the Agreement.

(b) Comply with applicable data protection laws in its use of the Services, and its own collection and processing of Personal Data including Customer Personal Data. Customer acknowledges and confirms that Customer has informed its employees (current and future) and its works council as applicable, that as part of the Services, Customer has access to the traffic data; and

(c) Process special categories of Personal Data or sensitive data (as defined by Applicable Data Protection Laws), or Personal Data concerning children or minors, or related to criminal convictions and offenses, lawfully and relying on a valid legal basis in accordance with Applicable Data Protection Laws. The Parties acknowledge that the Services are not designed to recognize and/or classify such data.

3.3 Purpose Limitation

(a) Except where otherwise required by applicable law, Unified Calling shall process the Customer Personal Data (i) in accordance with Customer’s documented instructions (which instructions are set out in the Agreement, this DPA and Customer’s configuration and use of the Services, in accordance with the applicable terms of use), (ii) for the purposes of providing, monitoring, supporting, improving, and maintaining the Services.

(b) Unified Calling shall not engage in the sale of any Personal Data.

3.4 Confidentiality of Processing

Unified Calling shall ensure that any person that it authorizes to process the Customer Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty).

3.5 Security

Unified Calling will maintain appropriate technical and organizational security measures to safeguard the security of Customer Personal Data. Unified Calling’s security measures are set out in the Unified Calling Security Addendum. Unified Calling will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Customer Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices.

3.6 Security Incidents

Upon becoming aware of a Security Incident, Unified Calling shall notify Customer without undue delay at the contact information that Customer has provided in the Administrative Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfill any data breach reporting obligations under Applicable Data Protection Laws.

3.7 Provision of Security Reports

Unified Calling will select an independent, qualified third-party auditor to conduct, at Unified Calling’s expense, at least annual audits of the security of the Services and environments, in accordance with internationally recognized standards such as ISO27001, the SOC 2, Type II standards or its equivalent. Upon Customer request and under Non-Disclosure Agreement, Unified Calling will provide a copy of the most recent audit reports (or similar security attestation) to document compliance with the foregoing requirement, where such certification is available. Such audit report is Unified Calling’s Confidential Information and Customer will not distribute to any third party without Unified Calling’s written approval.

3.8 Deletion or Return of Data

Upon termination or expiry of the Agreement, Unified Calling shall delete Customer Personal Data (including copies) in Unified Calling’s possession or, at Customer’s request, provide options to return the Personal Data to the customer, save to the extent that Unified Calling is required by applicable law to retain some or all of the Customer Personal Data.

4. GDPR Obligations

4.1 Applicability

This Section 4 shall apply to the processing of Customer Personal Data that is subject to the protection of the GDPR.

4.2 Subprocessors

Customer agrees that Unified Calling and its Affiliates may engage Unified Calling Affiliates and third- party subprocessors (collectively, “Subprocessors”) to process the Personal Data on Unified Calling’s behalf. Depending on the scope and the nature of the subprocessing, Unified Calling shall impose data protection terms on such Subprocessors that protect Customer Personal Data to an equivalent standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Subprocessor.

4.3 Subprocessor Notification

Unified Calling may, by giving reasonable notice to the Customer, add or replace the Subprocessors. If the Customer objects to the appointment of an additional Subprocessor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Customer Personal Data, then the Parties will discuss such concerns with a view to achieving resolution. If such resolution cannot be reached, then Unified Calling will either not appoint the Subprocessor or, if this is not possible, Customer will be entitled to suspend or terminate the affected Unified Calling Service without penalty with a thirty (30) day written notice to Unified Calling. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a Unified Calling Subprocessor failure) that can provoke a degradation or interruption of the Service, Unified Calling reserves the right to immediately change the failing Subprocessor in order to maintain or restore the standard conditions of the Service. In this situation, the notification of Subprocessor change may be exceptionally sent after the change.

4.4 Cooperation and Data Subjects’ Rights

It is the Customer’s responsibility to respond to any data subject request. Some of the Unified Calling Services may provide direct technical means to enable Customer to fulfil its duties to respond to requests from data subjects under Applicable Data Protection Laws. If Customer is unable to address the data subject’s request through such technical means, or where such functionality is not available, Unified Calling shall, taking into account the nature of the processing, provide reasonable assistance to Customer, to enable Customer to respond to such data subject requests. In the event that such request is made directly to Unified Calling, Unified Calling shall promptly direct the data subject to contact the Customer.

4.5 Data Protection Impact Assessments

Unified Calling shall, to the extent required by the GDPR, and upon Customer’s request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under GDPR in relation to the scope of the Services provided to Customer under the Agreement.

4.6 International Transfers

Unified Calling may transfer and process Customer Personal Data outside the European Economic Area (“EEA”), Switzerland, or the United Kingdom, in accordance with the applicable Subprocessor list, to locations where Unified Calling, its Affiliates or its Subprocessors maintain data processing operations.

(a) Data Privacy Framework. Unified Calling complies with and has certified to the U.S. Department of Commerce its adherence to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Unified Calling’s Notice of Certification applies  to the Services.

(b) Standard Contractual Clauses. To the extent that Unified Calling processes (or causes to be processed) any Customer Personal Data originating from the EEA, Switzerland, or the United Kingdom in a country that has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data, Unified Calling will put in place such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, which include the execution of the applicable EU Commission’s Standard Contractual Clauses, and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the putting in place of any other valid transfer mechanism.

 4.7 Audits

(a) Both Parties acknowledge that it is the Parties’ intention ordinarily to rely on the provision of the security reports at Section 3.7 above to verify Unified Calling’s compliance with this DPA.

(b) Additionally, upon request from Customer, but not more than once during each twelve (12) month period, Unified Calling shall complete a Customer provided information security program questionnaire, limited in scope to the actual services/environments related to the Services provided to Customer (“Security Review”).

 (c) After Customer’s review of Unified Calling’s audit report or similar attestation, and of the completed information security questionnaire (including any changes introduced by Unified Calling to address any gaps), if, to the extent required by the GDPR, additional information is reasonably necessary to demonstrate compliance with Unified Calling’s obligations pursuant to Applicable Data Protection Laws and this DPA, Customer may request in writing to perform an audit (including inspections) of Unified Calling pursuant to the audit request procedure below, no more than once every twelve (12) month period, unless a supervisory authority specifically requires that an audit is carried out of Unified Calling or in response to a Security Incident.

(d) In order to exercise its right to audit pursuant to this section, Customer must provide Unified Calling with a written, detailed request, including the explanation of gaps in Unified Calling’s provided audit reports and in the Security Review that render the audit necessary to demonstrate Unified Calling’s compliance with this DPA or with applicable law.

(e) The audit may be performed by Customer or a third-party auditor (any such third party under strict confidentiality obligations, including requirements that individual auditors appointed have not performed audits of any of Unified Calling’s competitors in the previous twelve (12) months and that they will be prohibited from performing such audits in the twelve (12) months following Unified Calling’s audit) solely at Customer’s expense. Unified Calling may object in writing to any third-party auditor if the auditor is, in Unified Calling’s reasonable opinion, not suitably qualified or independent, a competitor of Unified Calling, or otherwise manifestly unsuitable. Any such objection by Unified Calling will require the Customer to appoint another auditor or conduct the audit itself.

(f) Unified Calling and Customer will agree in advance upon the scope and timing of the audit, to protect the confidential and proprietary Information of Unified Calling and other Parties, to minimize disruption to Unified Calling’s business, to limit the scope to the actual services/environments related to the Services provided to Customer under the Agreement, and to agree on a reasonable duration of the audit.

(g) The audit performance will occur during regular business hours for the Unified Calling personnel involved and the Parties agree that Unified Calling will make available material for Customer’s review, but not for Customer to retain. Unified Calling may charge a reasonable fee for costs incurred in connection with any such audit based on Unified Calling’s professional services rates, unless the audit shows a material breach on the part of Unified Calling. Unified Calling will provide the Customer with details of any applicable fee, and the basis of its calculation, in advance of any such audit.

(h) All information provided or made available to Customer pursuant to this section shall be deemed Confidential Information of Unified Calling.

 4.8 Data Disclosure Requests

If Unified Calling receives a request from a law enforcement or other government authority to disclose Personal Data that Unified Calling is processing on the Customer’s behalf, Unified Calling will notify and provide the Customer with the details of the data disclosure request prior to disclosing any Personal Data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

5. Miscellaneous

5.1 Unless the above explicitly states otherwise the terms and conditions of the Agreement shall apply to the DPA. In case of any conflict between the terms of the Agreement and the terms of this DPA, the terms of this DPA prevail with regard to data processing activities.

5.2 The governing law and forum that apply to the Agreement also apply to this DPA.

5.3 Contact information for privacy inquiries: [email protected].

5.4 The Annexes attached to the DPA are :

– Annex 1 – Description of the Processing

– (If applicable) Annex 2 – Unified Calling Customer United States Privacy Addendum

 

Annex 1 – DESCRIPTION OF THE PROCESSING

Unified Calling is a provider of:

1. Cloud-based communications and collaboration services for high-definition voice, video, SMS, chat messaging and collaboration, conferencing, online meetings, and fax.

2. Customer contact center services and an omni-channel customer communication management platform that unifies all customer-facing communication channels, including voice, email, SMS, website, mobile app, chat and social media communications, onto a single platform, enabling community responses to customer service inquiries.

3. Virtual events and presentation services

4. Professional services

All the above as specified in the Agreement, collectively (the “Services”).

Services may include dashboards providing various metrics and insights on customers’ communications, some of which are based on a conversation intelligence platform involving artificial intelligence.

The data processing impacts the following categories of data subjects:

  • Customer’s employees and authorized users who use the Services in connection with the business of the Customer. 
  • Any other individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer’s use of the Services.

The categories of Customer Personal Data processed include:

  • Identification information for Customer’s administrator, contact information, such as address, telephone number (fixed and mobile), e-mail address, and fax number, employment information, such as job title and business role.
  • Identification information for anyone, including Customers’ employees, who use the Services at the request of and in connection with the business of the Customer, including telephone number (fixed and mobile) and email address.
  • Call detail records, including numbers of the calling and the receiving party, start date and time of the call, duration of the call.
  • For Services such as Unified Calling Cloud System – Bronze, Silver, Gold & Platinum:
    • Identification information for end users such as full name, gender, contact information (address, telephone number (fixed and mobile), e-mail address, fax number), employment information (job title) and company name. 
    • Identification information of Customer’s employees or authorized users or other third-party contributors, including name and email address. 
    • Content published on communication channels connected to the Services, including public information on social media channels connected to the Service. 
    • Content published on the online sharing space, including any public posts and private messages.
  • Any other Customer Personal Data that the Customer, its authorized users or third parties involved in the communications choose in their sole discretion to include in the content of the communications that are sent and received using the Services.
  • Any other Customer Personal Data that may be necessary for Unified Calling to provide the Services as described in the Agreement.

Special Categories of Customer Personal Data

The Services are not designed to recognize and/or classify data as special categories of data or sensitive data (as defined in the GDPR or in other Applicable Data Protection Laws), nor as Personal Data concerning children or minors, or related to criminal convictions and offenses. Insofar as Customer processes special categories of Personal Data, Customer undertakes to process this category of Personal Data lawfully, and in particular to rely on a valid legal basis in accordance with Applicable Data Protection Laws.

Processing Operations Unified Calling processes Customer Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, for customer relationship management, user management, and customer support. Unified Calling publishes authorized users’ content onto the public or private communication channels connected to their platform and synchronizes end user content from the same channels. Unified Calling stores and displays Customer information and conversations history to the authorized users.

Customer Personal Data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the Parties.

Annex 2 – Unified Calling Customer United States Privacy Terms

This United States Privacy Addendum (“US Privacy Terms”) is made by and between Unified Calling and Customer (each a “Party”, together the “Parties”), and is supplemental to the Data Processing Addendum (“DPA”) as appended to the Agreement (defined below), executed between the Parties, for the provision of the Services to Customer.

Where US State Privacy Laws apply to Unified Calling’s processing of Customer Personal Data on behalf of Customer, the terms of this US Privacy Terms, which forms part of the DPA will apply and will supplement as appropriate the provisions of the DPA. For the avoidance of doubt, in the event Unified Calling’s processing of Customer Personal Data on behalf of Customer is not subject to US State Privacy Laws, then this US Privacy Terms will not apply.

Capitalized terms used but not defined in this US Privacy Terms shall have the same meanings as set out in the Agreement.

1. Definitions

1.1 Agreement shall mean and refer to the main written or electronic agreement between Customer and Unified Calling for the provision of any of the Unified Calling Services to the Customer.

1.2. CPA shall mean and refer to the Colorado Privacy Act, as may be amended, and its implementing regulations.

1.3 CPPA shall mean and refer to the California Privacy Protection Agency, which is vested with the full administrative power, authority, and jurisdiction to implement and enforce the CPRA. 

1.4 CPRA shall mean and refer to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any implementing regulations promulgated thereunder. 

1.5 Customer Personal Information shall mean and refer to any Personal Information that Unified Calling processes on behalf of Customer as a Service Provider under the Agreement. 

1.6 CTDPA shall mean and refer to the Connecticut Data Privacy Act, as may be amended, and its implementing regulations.

1.7 Personal Information shall mean and refer to any information relating to an identified or identifiable person or individual and also includes personal data, as defined by applicable US State Privacy Laws. 

1.8 Sell shall have the same meaning as set forth in the CPRA. 

1.9 Share shall have the same meaning as set forth in the CPRA.

1.10 Service Provider shall mean and refer to a service provider or subcontractor, as defined by applicable US State Privacy Laws, that processes Customer Personal Information on Customer’s behalf or on Unified Calling’s behalf, where Unified Calling is a Service Provider to Customer, for the purposes of the Agreement. 

1.11 US State Privacy Laws shall mean and refer to all United States data protection and privacy laws which may be applicable to Unified Calling in the processing of Customer Personal Information as part of the performance of the Services provided to Customer under the Agreement. 

1.12 VDCPA shall mean and refer to the Virginia Consumer Data Protection Act, as may be amended, and its implementing regulations.

2. Scope of US Privacy Addendum

2.1 These US Privacy Terms will apply only to the extent that Unified Calling processes Customer Personal Information on behalf of a Customer as a Service Provider under US State Privacy Laws, where such processing is described in Annex I of the DPA.

3. Roles and Responsibilities

3.1. Unified Calling Obligations

3.1.1 Purpose Limitation

Unified Calling shall process the Customer Personal Information for the purposes of the performance of the Services as described in the Agreement and the DPA except where otherwise required or permitted by US State Privacy Laws. Such purposes include providing, monitoring, supporting, improving, and maintaining the Services, including through automated means such as artificial intelligence.

3.1.2 CPRA

For the purposes of Customer Personal Information subject to the CPRA, Unified Calling will:

3.1.2.1 Comply with the applicable CPRA obligations. 

3.1.2.2 Provide the same level of privacy protection as required by CPRA.

3.1.2.3 Notify the Customer if it can no longer meet its CPRA obligations. 

3.1.2.4 Not Sell or Share Customer Personal Information. 

3.1.2.5 Not retain, use, or disclose Customer Personal Information for any other purpose other than as agreed upon in the Agreement, outside the direct business relationship between the Parties, or as permitted by CPRA. 

3.1.2.6 Not combine Customer Personal Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, another person, or collects from its own interaction with the End User, subject to the exceptions under CPRA, including that Unified Calling may combine Customer Personal Information to perform any business purpose as defined in the California Consumer Privacy Act Regulations, California Code of Regulations, Title 11, Division 6, Chatpter 1, sections 7000 et seq.  

3.1.2.7 Cooperate with Customer, upon Customer’s reasonable notice, to determine reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information, to the extent there is any unauthorized use of Customer Personal Information.

3.1.3 Confidentiality of Processing

Unified Calling shall ensure that any person that it authorizes to process the Customer Personal Information shall be subject to a duty of confidentiality (either a contractual or a statutory duty).

3.1.4 Security

Unified Calling will maintain appropriate technical and organizational security measures to safeguard the security of Customer Personal Information. Unified Calling will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Customer Personal Information with administrative, technical and physical measures conforming to generally recognized industry standards and practices. Unified Calling’s security measures are set out in the Unified Calling Security Addendum.

3.1.5 Deletion or Return of Data

Upon termination or expiry of the Agreement, Unified Calling shall delete Customer Personal Information (including copies) in Unified Calling’s possession or, at Customer’s request, provide options to return the Personal Information to the Customer, save to the extent that Unified Calling is required by applicable law to retain some or all of the Customer Personal Information.

3.2 Customer Obligations

Customer undertakes to:

3.2.1 Ensure that it may lawfully disclose the Customer Personal Information to Unified Calling for the purposes set out in the Agreement.

3.2.2 Comply with US State Privacy Laws in its use of the Services, and its own collection and processing of Customer Personal Information. 

3.2.3 Process sensitive Personal Information (as defined by US State Privacy Laws), or Personal Information concerning children or minors, or related to criminal convictions and offenses, lawfully, and relying on a valid legal basis in accordance with US State Privacy Laws. The Parties acknowledge that the Services are not designed to recognize and/or classify such Personal Information and that Customer will be responsible when processing this Personal Information using the Services.

4. Service Providers

4.1 Notification. Where required by US State Privacy Laws, Unified Calling will notify Customer before it engages another Service Provider. Where required by US State Privacy Laws, Unified Calling will allow Customer thirty (30) calendar days to object to such engagement on reasonable grounds relating to the protection of Customer Personal Information.

4.2 Agreements. Unified Calling shall impose data protection terms on such Service Providers that protect Customer Personal Information to an equivalent standard provided for by these US Privacy Terms.

5. Audits

5.1 Unified Calling will select an independent, qualified third-party auditor to conduct, at Unified Calling’s expense, at least annual audits of the security of the Services and environments, in accordance with internationally recognized standards such as ISO27001, the SOC 2, Type II standards or its equivalent. Upon Customer request and under Non-Disclosure Agreement, Unified Calling will provide a copy of the most recent audit reports (or similar security attestation) to document compliance with the foregoing requirement, where such certification is available. Both Parties acknowledge that it is the Parties’ intention ordinarily to rely on the provision of the security reports in this section to verify Unified Calling’s compliance with this US Privacy Terms, the VDCPA, CPA, and/or the CTDPA.

5.2 Where required by US State Privacy Laws, Unified Calling will cooperate with Customer to make available all information in Unified Calling’s possession to demonstrate compliance with its obligations in the VDCPA, CPA and/or the CTDPA, as applicable.

5.3 Additionally, upon request from Customer, but not more than once during each 12-month period, Unified Calling shall complete a Customer provided information security program questionnaire, limited in scope to the actual services/environments related to the Services provided to Customer (“Security Review”).

5.4 After Customer’s review of Unified Calling’s audit report or similar attestation, and of the completed information security questionnaire (including any changes introduced by Unified Calling to address any gaps), if, to the extent required by US State Privacy Laws, additional information is reasonably necessary to demonstrate compliance with Unified Calling’s obligations pursuant to US State Privacy Laws and this US Privacy Terms, Customer may request in writing to perform an audit (including inspections) of Unified Calling pursuant to the audit request procedure below, no more than once every twelve (12) month period, unless a supervisory authority specifically requires that an audit is carried out of Unified Calling.

5.5 In order to exercise its right to audit pursuant to this section, Customer must provide Unified Calling with a written, detailed request, including the explanation of gaps in Unified Calling’s provided audit reports and in the Security Review that render the audit necessary to demonstrate Unified Calling’s compliance with these US Privacy Terms or with US State Privacy Laws.

5.6 The audit may be performed by Customer or a third-party auditor (any such third party under strict confidentiality obligations, including requirements that individual auditors appointed have not performed audits of any of Unified Calling’s competitors in the previous twelve (12) months and that they will be prohibited from performing such audits in the twelve (12) months following Unified Calling’s audit) solely at Customer’s expense. Unified Calling may object in writing to any third-party auditor if the auditor is, in Unified Calling’s reasonable opinion, not suitably qualified or independent, a competitor of Unified Calling, or otherwise manifestly unsuitable. Any such objection by Unified Calling will require the Customer to appoint another auditor or conduct the audit itself.

5.7 Unified Calling and Customer will agree in advance upon the scope and timing of the audit, to protect the confidential and proprietary Information of Unified Calling and other Parties, to minimize disruption to Unified Calling’s business, to limit the scope to the actual services/environments related to the Services provided to Customer, and to agree on a reasonable duration of the audit.

5.8 The audit performance will occur during regular business hours for the Unified Calling personnel involved and the Parties agree that Unified Calling will make available material for Customer’s review, but not for Customer to retain. Unified Calling may charge a reasonable fee for costs incurred in connection with any such audit based on Unified Calling’s professional services rates, unless the audit shows a material breach on the part of Unified Calling. Unified Calling will provide the Customer with details of any applicable fee, and the basis of its calculation, in advance of any such audit.

5.9 All information provided or made available to Customer pursuant to this section shall be deemed Confidential Information of Unified Calling and Customer will not distribute to any third party without Unified Calling’s written approval.

6. US Educational Institutions

6.1. COPPA. Information about usage of the Services in accordance with COPPA requirements is available on the Children’s Privacy Policy, and incorporated by reference. If applicable, Customer hereby agrees to obtain and provide, or cause a School Partner to obtain and provide, verifiable consent to Unified Calling’s collection, use, and disclosure of Personal Data in accordance with the Children’s Privacy Policy.

6.2. FERPA. For the purposes of the Agreement, if Customer is an educational agency or institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), Unified Calling shall operate as a school official with legitimate educational interests in obtaining or accessing Personally Identifiable Information, including Education Records pertaining to students (as those terms are defined under FERPA). Unified Calling shall only use or disclose such Personally Identifiable Information in accordance with the requirements of 34 C.F.R. § 99.33(a) (governing the use and redisclosure of Personally Identifiable Information from Education Records) as is reasonably necessary to provide the Cloud System Services or for Unified Calling to otherwise perform its obligations under the Agreement. Customer acknowledges Unified Calling is under its direct control with respect to the use and maintenance of Education Records, and Customer agrees to be solely responsible for protection of Personally Identifiable Information from Educational Records.

7. Miscellaneous

7.1. Unless the above explicitly states otherwise the terms and conditions of the Agreement, including any DPA, shall apply to the US Privacy Terms. In case of any conflict between the terms of the Agreement, including any DPA, and the terms of these US Privacy Terms, the terms of these US Privacy Terms prevails with regard to data processing activities subject to US State Privacy Laws.

7.2. The governing law and forum that apply to the Agreement also apply to these US Privacy Terms.

7.3. Contact information for privacy inquiries: [email protected].