Voxbi is a trade name of Voipgate S.A.
This Data Processing Addendum (“DPA”) is made as of the Effective Date by and between Voxbi and Customer (each a “party”, together with the “parties”), pursuant to the Agreement for the provision of Mixvoip Services to Customer.
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data from the European Economic Area is processed by Voxbi under the Agreement on behalf of the Customer.
Other capitalised terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1. Definitions
1.1 For the purposes of this DPA:
• “Voipgate” means collectively or individually Voipgate S.A., mVg.lu, Voxbi S.A.
• “Agreement” means the Agreement between Customer and Voxbi, whether written or electronic, for the provision of any Voxbi services (“Services”), and any attachments thereto.
• “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, EU Data Protection Legislation.
• “EEA” means the European Economic Area.
• “EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended, replaced or superseded).
• “Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
• “Processor” shall mean an entity which processes Personal Data on behalf of the Controller;
• “Personal Data” means any information relating to an identified or identifiable natural person;
• “Privacy Shield” means the EU-US and Swiss-US Privacy Shield self-certification programs operated and administered by the U.S. Department of Commerce; and
• “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as amended, superseded or replaced);
2. Applicability of DPA
2.1 Applicability of DPA. This DPA will apply only to the extent that Mixvoip processes Personal Data originating from the EEA, on behalf of Customer or Customer Affiliate.
3. Roles and responsibilities
3.1 Parties’ Roles. Customer, as Controller, appoints Mixvoip as a Processor to process the Personal Data that is the subject of the Agreement on the Customer’s behalf. Notwithstanding anything in this DPA, Voxbi will have the right to process Personal Data originating in the EEA in its capacity as Controller;
3.2 Purpose Limitation. Voxbi shall process the Personal Data for the purposes described in Annex A, except where otherwise required by applicable law. Any additional processing required by the Customer outside of the scope of the Agreement will require a prior written agreement between the parties, including the agreement on any additional fees that Customer may be required to pay.
3.3 Security. Voxbi will maintain appropriate security measures to safeguard the security of Personal Data. Voxbi will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity, and accessibility of Personal Data with administrative, technical, and physical measures conforming to generally recognized industry standards and practices. Voxbi shall implement appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
3.4 Privacy Shield: To the extent that Voxbi processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, such Personal Data shall have adequate protection (within the meaning of EU Data Protection Legislation) by virtue of Voxbi having self-certified its compliance with the Privacy Shield Framework. To the extent that Voxbi processes (or causes to be processed) any such Personal Data outside of the EEA, it shall commit to applying the Privacy Shield Principles.
3.5 Compliance: Customer, as Controller, shall be responsible for ensuring that:
• it has complied, and will continue to comply, with all Applicable Data Protection Laws, including in any instructions it issued to Voxbi under this Agreement and DPA; and
• it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Voxbi for processing in accordance with the terms of the Agreement and this DPA.
4. GDPR obligations
4.1 Applicability of Section: This Section 4 shall apply to the processing of Personal Data that is within the scope of the GDPR / that originates from the EEA from 25 May 2018 onwards.
4.2 Confidentiality of processing. Voxbi shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or statutory duty).
4.3 Sub-processors. The customer agrees that Voxbi may engage Voxbi affiliates and third-party sub-processors (collectively, “Sub-processors”) to process the Personal Data on Voxbi’s behalf. The Sub-processors currently engaged by Voxbi and authorized by the Customer will be provided as of May 25, 2018. Voxbi shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. Voxbi’s Sub-processors list upon request at dpo@voxbi.com.
4.4 Changes to Sub-processors. Voxbi may, by giving reasonable notice to the Customer, add or make changes to the Sub-processors. If the Customer objects to the appointment of an additional Sub-processor within five (5) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then the parties will discuss such concerns in good faith with a view to achieving resolution. If such resolution cannot be reached, then Voxbi will either not appoint the Sub-processor or if this is not possible, the Customer will be entitled to suspend or terminate the affected Voxbi service in accordance with the termination provisions of the Agreement.
4.5 Security Incidents. “Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data. Upon becoming aware of a Security Incident, Voxbi shall notify Customer without undue delay at the contact information that Customer has provided in the Service Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation.
4.6 Cooperation and data subjects’ rights. Voxbi shall, taking into account the nature of the processing, provide reasonable assistance to Customers insofar as this is possible, to enable Customers to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation. In the event that such request is made directly to Voxbi, Voxbi shall promptly inform the data subject to contact the Customer administrator and inform of the same. It is the Customer’s sole responsibility to ensure that any administrator identified to manage and carry out data subject requests for the Customer Account has appropriate authority to fulfil the data subject requests.
4.7 Data Protection Impact Assessments: Voxbi shall, to the extent required by EU Data Protection Legislation, upon Customer’s request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Legislation.
4.8 Provision of Security Reports: Voxbi shall provide, upon Customer’s request, copies of any relevant summaries of external security certifications or security audit reports necessary to verify Voxbi compliance with this DPA.
4.9 Other audits: While it is the parties’ intention ordinarily to rely on the provision of the documentation at Section 4.9 above to verify Voxbi’s compliance with this DPA, Voxbi shall permit the Customer (or its appointed third-party auditors) to carry out an audit of Voxbi’s processing of Personal Data under the Agreement following a Security Incident suffered by Voxbi, or upon the instruction of a data protection authority. Customer must give Voxbi thirty (30) days prior notice of such intention to audit, conduct its audit at the Customer’s own costs and during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Voxbi’s operations. Any such audit shall be subject to Voxbi’s security and confidentiality terms and guidelines.
4.10 Deletion or return of data: Upon termination or expiry of the Agreement, and upon written request, Voxbi shall, at Customer’s election, delete or return to Customer the Personal Data (including copies) in Voxbi’s possession, save to the extent that Voxbi is required by any applicable law to retain some or all of the Personal Data.
5. Miscellaneous
5.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
5.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
5.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
ANNEX A
DETAILS OF THE PROCESSING
Nature and Purposes of Processing:
Voxbi is a Luxembourgish based provider of VoIP and software-as-a-service (“Saas”) solutions for the way employees communicate and collaborate in business. Voxbi provides cloud-based communications and collaboration services for high-definition voice, video, messaging and collaboration, and conferencing online meetings (the “Services”). Voxbi processes the personal data of the individuals who participate in these communications, including Customers and End Users (Customer employees and authorized users).
Voxbi administers the Customer Account, including providing the Customer with usage and analytic reports concerning the Customer’s use of the Services.
Categories of Data Subjects:
Customer and End Users who use the Services, and any data subject who uses the Voxbi Services at the request of and in connection with the business of the Customer.
Type(s) of Personal Data Processed:
The personal data transferred concerns the following categories of data for the data subjects:
• Identification information for Customer’s End User contact information (address, telephone number (fixed and mobile), email address, fax number), employment information (job title).
• Identification information for anyone who uses the Voxbi Services at the request of and in connection with the business of the Customer (including telephone number (fixed and mobile), IP address, and email address).
• All call details records, including among others:
- The phone number of the subscriber originating the call (calling party)
- The phone number receiving the call (called party)
- The starting time and date of the call
- The call duration
- The billing phone number that is charged for the call
- The identification of the telephone exchange or equipment writing the record
- Any fault condition encountered
• Any other personal data that the Customer or Users choose to include in the content of the communications that are sent and received using the Voxbi Services.
• All faxes sent or received by the mean of a physical fax machine are not stored nor processed by Voxbi after transmission, either complete or incomplete.
• All faxes sent or received by the mean of an email (fax to mail/mail to fax) are stored by Mixvoip after transmission for 62 days, then permanently deleted.
• Call recordings can be carried out only in accordance with the Luxembourg law of 30/05/2005, art. 4, amended by the law of 28/07/2011, or its equivalent in Belgian law and German law.
- Call recordings are kept 20 days in the Voxbi phone system [hosted PBX] accessible by the customer and protected by a user name and password, then permanently deleted.
- Optional: upon customer’s request, Voxbi can create a dedicated storage volume to push all recordings. Recordings are not kept in the Voxbi phone system [hosted PBX]. Files are accessible by the customer and protected by a user name and password. Files are kept 183 days, then permanently deleted.
- Optional: upon customer’s request, the service is installed on an external server outside Voxbi’s control that fetches and deletes buffered recorded files on the Voxbi phone system [hosted PBX] and keeps them in the customers environment.
• It is the customer’s responsibility to inform callers and callees about the recording, its goal, the duration of retention, and to collect the parties’ agreements prior to the recording.
The personal data transferred to Voxbi for processing is determined and controlled by the Customer at its sole discretion. As such, Voxbi has no control over the volume and sensitivity of personal data processed through its Services by the Customer or End Users
Duration of Processing:
The personal data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties. According to art. 5 of the Luxembourg law of 30/05/2005, amended by the law of 28/07/2011, all call details records will be kept by Mixvoip for 12 months, or 6 months after the payment of the invoice free from any claim, or the longest of either period. Dynamic IP addresses for Internet connections are kept for 6 months. Customer invoices, including all details, are kept for 10 years. After these periods, data are anonymized.
Special Categories of Data:
Voxbi does not intentionally collect or process any special categories of data in the provision of its Services.