Data Processing Agreement
Last updated: Sept 12, 2022
This Data Processing Agreement (“DPA”) records the parties’ agreement with respect to the processing of Personal Data by Ringaly Inc. (“Ringaly”) on your behalf to provide communication services subject to our Terms of Service (“Terms”).
​
By providing Ringaly access to personal data under your control you agree to the terms of this DPA. This DPA is incorporated into our general Ringaly Terms.
​
Definitions
-
“Confidential Information” is any confidential information disclosed by an Organization to Ringaly, provided that it is relevant to this DPA and is either marked as confidential or could reasonably be deemed to be of a confidential nature.
-
“Data” means personal data, as defined in regional Data Protection Regulations.
-
“Data Breach” definitions vary slightly between regional Data Protection Regulations but usually means the accidental or malicious disclosure of personal data.
-
“Data Controller” definitions vary between regional Data Protection Regulations but usually means the entity that chooses how Data is processed.
-
“Data Processor” definitions vary between regional Data Protection Regulations but usually means the entity that processes Data on behalf of the Data Controller.
-
“Data Protection” definitions vary between regional Data Protection Regulations but usually means legal, technical and procedural measures aimed at preventing accidental or malicious disclosure of Data.
-
“Data Protection Regulations” means all applicable data protection and privacy regulations that apply in the local regulatory environment governing Data shared with Ringaly, e.g. CCPA (California), GDPR (EU or UK).
-
“Data Subject(s)” definitions vary between regional Data Protection Regulations but usually means the living individual to whom personal data relates.
-
“DPA” means this Data Processing Agreement.
-
“Effective Date” is the date on which the organization accepts the terms of this DPA.
-
“Expired” refers to Data that is no longer required by Ringaly processing.
-
“Good Industry Practice” in the context of this DPA means using security technologies and procedures (to protect Data against accidental or malicious disclosure) that would reasonably be expected from a skilled and experienced Data Protection practitioner in a similar Data Protection context.
-
“Parties” refers to Ringaly (acting as a Data Processor) and Organizations who share personal data with Ringaly so that Ringaly can provide its communications service to the Organizations.
-
“Organization(s)” are typically schools or care homes, who share personal data of students or residents with Ringaly, so they can use Ringaly to communicate with their family contacts. But Organizations can also be individuals, families or other types of organization.
-
"Ringaly", "we", "us" and "our" refers to Ringaly Inc. and its employees, consultants, officers, directors, or agents.
-
“Standard Contractual Clauses (SCC)” are standard contractual clauses governing data transfers between EU and non-EU countries.
-
"Services" refers to all services provided by Ringaly.
-
"Site" refers to any web site made available by Ringaly.
-
“Sub-Processor(s)” are third parties used by Ringaly to process Data (to provide its Services) in accordance with the terms of this DPA.
​
General
-
The effective date of this DPA is the date that the Organization first shares Data with Ringaly.
-
This DPA applies to the extent that Ringaly processes Organization Data subject to local Data Protection Regulations.
-
By sharing Data with Ringaly the Organization agrees to the terms of this DPA.
-
The Parties acknowledge that to comply with Data Protection Regulations Ringaly is acting as a Data Processor and the Organization is acting as a Data Controller (in respect of the Data the Organization is sharing with Ringaly). Each party shall comply with their respective obligations under the Data Protection Regulations.
-
Ringaly also acts as a Data Controller for Data collected when individuals use our service directly - for example logging in to our website, contacting us or requesting support. In this case, handling of this Data is governed by our Privacy Policy and not by this DPA.
-
Ringaly will comply with all applicable Data Protection Regulations governing its processing of Organization Data.
-
Ringaly will only process the minimum amount of Organization Data required to operate its Services (unless further processing is required by local laws).
-
The Organization hereby authorizes Ringaly to process Organization Data to operate its Services as described on its Site.
-
The Organization hereby warrants and represents that sharing Organization Data with Ringaly is lawful under, and in full compliance with, Data Protection Regulations.
-
The Organization will indemnify Ringaly against all costs, claims, damages, expenses, losses and liabilities incurred by Ringaly from any breach of this warranty and representation.
-
Term, Termination and Data Retention
-
This DPA will begin on the Effective Date and continue until the Organization terminates its contract with Ringaly (or Ringaly terminates its contract with the Organization).
-
Upon termination of this DPA all clauses (of this DPA) that pertain to protecting Data , compliance with Data Protection Regulations and warranties and liabilities will continue to apply.
-
Data processed by Ringaly will be considered to have Expired when it is no longer required for processing by Ringaly. Data can expire for many reasons, such as termination of this agreement, changing Organization Data, privacy requests, etc.
-
Ringaly will use all reasonable endeavors to delete Expired Data from primary Ringaly storage (used for day-to-day operation of our Services) within 30 days of expiration. Deletion of Expired Data from secondary storage (secure backups used to make our Services resilient to failures) may take up to a year.
​
Data Transfer
-
The Organization hereby consents to sharing Organization Data with Ringaly so that Ringaly can operate its Services as described on its Site.
-
Data transferred from the Organization to Ringaly will be encrypted in transit (for example via HTTPS) and in storage, by Ringaly and its Sub-Processors.
-
The Organization agrees that it is solely responsible for he accuracy, quality, and legality of its Organization Data; is complying with all the requirements of applicable Data Protection Regulations; has the right to share Organization Data with Ringaly for processing under the terms of this DPA
-
The Organization will indemnify Ringaly against all costs, claims, damages, expenses, losses and liabilities incurred by Ringaly arising from any of the above data transfer clauses.
​
Data Ownership
Organization Data remains the property of the Organization. Therefore the Organization remains responsible for complying with applicable Data Protection Regulations.
Ringaly will have no responsibility to protect or secure Organization Data stored or processed outside Ringaly’s direct control.
​
Confidentiality
-
Ringaly will keep all Confidential Information and Organization Data confidential by Good Industry Practice and will not use any Confidential Information or Organization Data except for the purpose of providing its Services to the Organization.
-
Ringaly will not disclose any Confidential Information to any third party, except as is permitted by this DPA, or as required for operating of its Services (e.g. to Ringaly’s authorized Sub-Processors), or as required by law.
-
Ringaly will ensure that it has Confidentiality Agreements in place with its Sub-Processors and that confidential Organization Data is secured and protected by Sub-Processors using Good Industry Practice.
​​
Sub-Processors and International Transfers
-
The Organization authorizes Ringaly to use third party Sub-Processors (to process Organization Data in order to provide its Services).
-
See https://ringaly.com/sub-processors for a list of Ringaly’s authorized Sub-Processors, with information about what Ringaly uses them for and links to their respective Data Protection policies.
-
The Organization authorizes Ringaly to add or remove Sub-Processors (to process Organization Data in order to provide its Services), provided Ringaly performs due diligence to ensure that new Sub-Processors comply with Good Industry Practice (for Data Protection) and Data Protection Regulations.
-
The Organization authorizes Ringaly to transfer Organization Data to international Sub-Processor facilities that may be outside the regulatory region from which the Data originates (e.g. outside the US, EEA, UK), without obtaining prior consent from the Organization, provided that:
-
Organization Data is transferred to a region subject to adequacy regulations under the Data Protection Regulations of the region from which the Data originates.
-
Ringaly uses a cross-border transfer mechanism considered valid by the Data Protection Regulations of the region from which the Data originates, and where Ringaly ensures that appropriate safeguards are in place to ensure an adequate level of Data Protection as required by the Data Protection Regulations of the region from which the Data originates.
-
The transfer otherwise complies with Data Protection Regulations.
-
-
If international transfer of Organization Data requires execution of SCCs in order to comply with the Data Protection Regulations, the Parties will agree to enter into a further agreement to reflect the SCCs.
​​
Data deletion
-
The Organization may request Ringaly to delete (all or subsets of) Organization Data from Ringaly storage and that of our Sub-Processors. Upon receiving this request Ringaly will use all reasonable endeavors to delete Organization Data from Ringaly storage and that of its Sub-Processors.
-
Ringaly will use all reasonable endeavors to delete Organization Data from primary Ringaly (and Sub-Processor) storage (used for day-to-day operation of our Services) within 30 days of a Data deletion request.
-
Deletion of Data from secondary storage (secure backups used to make our Services resilient to failures) may take up to a year, but Ringaly will use all reasonable endeavors not to restore Data designated as deleted from backups.
-
Ringaly and its Sub-Processors may retain Organization Data if required by law, but will ensure the confidentiality of all such retained Organization Data and only process such retained Organization Data as required by law and for no other purpose.
Audit rights
-
Ringaly will make available to the Organization on request all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by the Organization or an auditor mandated by the Organization, in relation to the processing of Organization Data by Ringaly and its Sub-Processors.
-
These audit rights apply only to the extent required by Data Protection Regulations.
-
The Organization may only request a maximum of one audit per calendar year.
Data Subject Rights
-
Taking into account the nature of the Data processing conducted by Ringaly and its Sub-Processors, Ringaly will (and will use all reasonable endeavors to procure that its Sub-Processors will) assist the Organization by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Organization obligations, as reasonably understood by the Organization, to respond to requests to exercise Data Subject rights under the Data Protection Regulations.
-
Ringaly will promptly notify the Organization if it receives a request from a Data Subject under any Data Protection Regulation in respect of Organization Data; and ensure that it does not respond to that request except on the instructions of the Organization or as required by applicable laws to which the Processor is subject, in which case Ringaly will to the extent permitted by applicable laws inform the Organization of that legal requirement before Ringaly responds to the request.
​
Data Breach
-
Ringaly will promptly notify the Organization upon becoming aware of a Data Breach, providing the Organization with sufficient information to allow the Organization to meet any obligations to report or inform Data Subjects of the Data Breach under the Data Protection Regulations.
-
Ringaly will cooperate with the Organization and take reasonable commercial steps to assist in the investigation, mitigation and remediation of the Data Breach.
​​
Data Protection Impact Assessment
-
Ringaly will provide reasonable assistance to the Organization with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Organization reasonably considers to be required by Data Protection Regulations, in each case solely in relation to processing of Organization Data by, and taking into account the nature of the processing and information available to, Ringaly and its Sub-Processors.
​
Liability
-
Ringaly will have no liability to the Organization, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, for or in connection with:
-
Loss, interception or corruption of any Data, other than to the extent such loss is caused by the negligence or fault of Ringaly.
-
Loss, interception or corruption of any Data resulting from any negligence or default by any Sub-Processor.
-
Damage to reputation or goodwill.
-
Any indirect or consequential loss.
-
-
Ringaly’s maximum liability to the Organization, whether arising in contract, tort (including negligence), breach of statutory duty or otherwise, in connection with the Services or related to this DPA shall be limited to the aggregate amount paid or payable for the Services during the 12-month period preceding the event giving rise to the claim.
Legal proceedings
-
The Organization agrees that the Services shall be deemed solely based in California and that the Services shall be deemed passive and do not give rise to personal jurisdiction over Ringaly, either specific or general, in jurisdictions other than California. You expressly agree that your rights and obligations, this terms of service and any disputes shall be governed by and interpreted in accordance with the laws of the State of California, excluding its choice of law rules. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any claim or dispute between you and Ringaly that arises in whole or in part from the Services shall be decided exclusively by a court of competent jurisdiction located in San Francisco, California, unless submitted to arbitration as set forth below.
​
Limited arbitration rights
-
For any claim (excluding claims for injunctive or other equitable relief) under this terms of service where the total amount of the award sought is less than $10,000, the party requesting relief may elect to resolve the dispute through binding non-appearance-based arbitration. The party electing such arbitration shall initiate the arbitration through an established alternative dispute resolution provider mutually agreed upon by the parties. The alternative dispute resolution provider and the parties must comply with the following rules:
-
The arbitration shall be conducted by telephone, online and/or be solely based on written submissions, as selected by the party initiating the arbitration.
-
The arbitration shall not involve any personal appearance by the parties or witnesses unless otherwise mutually agreed by the parties.
-
Any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction.
Updates
-
Ringaly may vary the terms of this DPA from time to time by giving notice to the Organization in advance of the variation.