Skip to main content

Regpack Service Agreement and Data Processing Agreement

  • Updated

Regpack Service Agreement

This Service Agreement is a legal agreement between Regpack Inc. (hereafter referred to as the or "Regpack" or "we" or "our" or "us") will enter into this agreement with you (hereafter as the “client” or "you" or "your" or "licensee") to provide services outlined below (hereafter the “product” or "platform" or "project"). The effective date of this agreement is the date the setup fee is paid. Both Regpack and “client” hereto agree as follows:

 

Billing Terms

Terms are based on the amount of admin licenses and cost per license as outlined in the cart. Client can login to the Regpack administrative portal and navigate to “Billing” to review their current billing and cart. 

General Billing Terms

  • Month to Month License
    • Includes unlimited applicants across all projects
    • Includes additional projects
    • Includes unlimited guests
    • License(s) must be paid in full at the beginning of the contract term
    • Contracts will auto-renew after the initial term is complete
  • Annual License(s)
    • Includes unlimited applicants across all projects
    • Includes additional projects
    • Includes unlimited guests
    • License(s) must be paid in full at the beginning of the contract term
    • License(s) will auto-renew after the initial term is complete

Admin License Levels

  • Owner – includes access to all elements of the product and full permission to speak with Regpack representatives about all elements of the account. All owners must be Super Admins.
  • Super Admin – includes read and write access to all building, payment, and reporting elements of the product including permission to speak with Regpack representatives about all elements of building, payment, and reporting elements.
  • Financial Admin - includes read and write access to all payment elements of the product including permission to speak with Regpack representatives about all elements regarding payments.
  • API Admin - strictly for accessing our Open API and webhook tools. It can’t be accessed by any individual(s) outside of the API connection. API admin licenses are not eligible for discounts, special promotions, or group pricing.
  • Collaborator – includes only read and write access to user information.
  • Guest – includes only read only access to user information.

Only Super Admin, Financial Admin, and Collaborator(s) are able to communicate with the Regpack Support Team via email. Only Super Admin(s) are eligible for training session(s) and scheduled phone calls. 

NOTE: Account sharing is prohibited. All individuals who access the back end must be invited as a Super Admin, Financial Admin, Collaborator, or Guest, and will be billed accordingly. Failure to abide by these guidelines is in direct opposition to our Data Processing Agreement, which protects the safety and security of all user and payment data, violation of these terms will result in immediate suspension of the account.

Month to Month Billing Cycle Terms

  • The first payment is not included in the setup fee payment.
  • The monthly cycle is billed for the upcoming 30 days.
  • Admin fees are billed regardless of account status. 
  • Suspended accounts can not be altered, adjusted, or amended by any Regpack representative or employee.
  • The account will be locked out if payment for admin fees is not received by the due date.
  • All accounts are automatically billed through an electronically saved payment method. If no electronic payment method is supplied, payment for 12 months must be issued in advance.

Annual License Billing Terms

  • Payment is due at the time the setup fee is paid.
  • Licenses are valid for the number of months paid for, either 12 or 24 months.
  • Licenses will automatically renew after the term has ended.
  • License holders are required to provide 30 days written notice of cancellation in order to prevent automatic renewal of license. 

Payment Method

All accounts must maintain a valid credit or debit card or bank account saved electronically. Client agrees that we may charge the saved payment method with the fees due hereunder, any sales and use taxes, and any late fees or interest (as described below). Payments provided by any other methods are subject to a prepayment requirement, any upcoming balances must be paid within twenty-eight (28) days from the due date, and if not Regpack has permission to charge the saved electronic payment method for the balance. You represent and warrant that you are legally authorized to use the saved payment method provided . You agree that you are solely liable for any payment or credit card fraud, abuse, or unauthorized use by you or others. 

Refund Policy

Any monthly or annual license payment, including initial setup fees, project manager fees, and all other incurred fees are non-refundable once paid. For cancellation of a monthly or annual plan, refer to the “Cancellation” section of this contract, outlined below.

Account Suspension

You can suspend your account once, for up to 60 days, within a 12 month time period. Suspended accounts will not be billed during suspension, and access to your account will be locked. Requests for access to information will reactivate your account and billing will resume immediately. In order to suspend your account, you must request a suspension in writing by emailing payments@regpacks.com. Account suspension will go into effect once your suspension request is received and processed. Unless otherwise notified, your account will automatically turn back on after 60 days and billing will resume.

Cancellation Policy

Canceling your account requires at least 90 days notice submitted by account owners in the back end by clicking settings --> billing --> cancellation request. If your preferred cancellation date is within 90 days, or you have not given notice prior to 90 days of your preferred cancellation date, Regpack will provide two options for immediate cancellation:

  • A one-time fee of at least half of all SA licenses under your organization OR a minimum of $2,000 USD to cancel all Super Admin licenses that are 12 months or longer and end the contract. Upon receipt of payment, Regpack will then close the account immediately.
  • Upfront payment of license fees for all monthly Super Admin licenses listed in your account for the subsequent 90 days. Upon receipt of payment, Regpack will then close the account immediately.

Reactivating or Re-opening your account resets the canceling notice requirement.

License Details

This license permits a single user to access the Regpack’s administrative portal (www.regpacks.com/reg/admin/). This license can not be accessed or used across several computers simultaneously but is not limited to a specific network or region. Attempting to access simultaneously will result in immediate expulsion and multiple expulsions will lead to termination of a license.

All licenses require multi-factor authentication to access the administrative portal. This can not be turned off, restricted, or circumvented by the Regpack’s representatives, contractors, and/or partners. All licensees must be able to receive a secondary code directly to their documented email address. All licensee email addresses can not be a shared inbox and limited to only a single person. Regpack reserves the right to reject an email address if it is believed it can be accessed by multiple individuals. 

Enforcement of Licensee Access

The client manages all individual's access to Regpack’s administrative portal, including, but not limited to inviting, removing, adjusting license levels and their designated permission levels. Regpack’s representatives, contractors, and/or partners will not invite, exclude, remove, or intervene except when inviting the initial account owner. All licenses will have full access to the administrative portal via the permission levels designated below. The client will take full responsibility for any actions taken by individuals they’ve permitted to access the platform. Regpack is not responsible for any malicious action performed by an authorized user nor is the Regpack responsible for restitution or information loss in the case of negligence by an authorized user such as password sharing or lost device(s).

Admin License Transfer Policy

Regpack will limit the Licensee to a maximum of one (1) license transfer per calendar year from the date the product was purchased. The initial transfer is free of charge.

  • Additional license key transfers within this period will be charged:
    • 2nd transfer: $250
    • 3rd transfer: $500
  • The transfer of license is considered on a case-by-case basis and is at the sole discretion of the Regpack.
  • Regpack reserves the right to amend the terms and conditions of this License Transfer Policy at any time without prior notice.

License Downgrade Policy

Downgrading an admin license from an annual subscription to a monthly subscription requires at least 30 days notice prior to the end of the 12-month (or longer) license subscription. The request must be submitted by the account owner to payments@regpacks.com.  If prior notice has not been given, the license will be renewed for an additional term of at least 12 months.

 

Project Manager Assistance 

For your first project build, your onboarding includes Project Manager assistance for 2 months from the date you make your first payment. If you have not completed your Project Build within this timeframe and would like to continue to work with your Project Manager, you will be charged an additional fee. After the initial project build, Project Manager assistance is available for additional projects for an additional fee.

The Project Manager is to assist the client in building the base structure of their project. This includes the initial form structure, setting up the initial product and discount structure, providing training session scheduling, and reviewing the email communication mechanisms within the project.

The client will be transitioned to the support team when the Project Manager determines the project is ready to go live. The projected timeline for getting a project ready to take live registrations is 10 business days following a document review and approval by the Project Manager. All client documentation, including pricing, must be submitted in full to the Project Manager for their approval prior to the start of the build. Any provided build timeline is also contingent upon client adherence to tasks and deadlines set by the Project Manager. Regpack reserves the right to change the Project Manager or to stop Project Management services without cause or prior notice.

The Project Manager support DOES NOT include

  • Text changes/adjustments on any elements after they are inserted into the project. The client and all Super Admins will be able to make adjustments once the structural build is complete.
  • Support after the project is ready to go live.
  • Creation and setup of user report(s).
  • Creation and setup of email message(s) for communication with users.
  • Manual typing of legal document(s) or agreement(s)
  • Design/image implementation and/or HTML Support

The Project Manager support DOES include

  • Initial form creation and setup (up to 15 forms).
  • Initial product/services creation and setup, if necessary.
  • Review of email trigger mechanisms to confirm message(s) are sent as expected.
  • Initial instructions on how to access and edit elements not included in Project Manager support.

Integrated Payments

Regpack allows online payments with credit cards and ACH for US bank accounts only. All payments are processed through 3rd party partnerships including, but not limited to: BlueSnap, CardConnect and Wepay. These partners are solely responsible for money transfer, payment authentication, fraud detection, fund arrival, and chargeback arbitration.

Additionally, these partners are responsible for risk assessments, which can affect the actual processing rates assessed on transactions. Regpack acts solely as the technological bridge and bears no responsibility for funds or money transfers. The client enters into a standard processing agreement with the processing partner connected for their project and/or organization. The integration of any additional processing partners is done solely at the discretion of the Regpack.

In order for you to access and enable payment services, you must apply as a merchant through Regpack. All merchant accounts are required to abide by KYC requirements where individuals must be verified. The WePay Terms of Service explain that process and are available here. The WePay Privacy Policy is available here. The Bluesnap Terms and Conditions are here and merchant agreement is here.

By accepting this agreement with Regpack, you agree that you have reviewed the Terms of Service and Privacy Policy, for all of our integrated partnerships, the country in which you are located and agree to them.

Transactions of illegal products and services are prohibited by both Regpack and our integrated payment partners. Transactions are limited to countries and currencies that are not listed on the blocked and/or sanctioned list by the U.S. State Department. For questions regarding payments from specific countries, reach out to the Regpack Payments team at payments@regpacks.com.

Prohibited Data Collection

The client, its representatives and/or contractors, will refrain from collecting sensitive financial data, including, but not limited to full credit card numbers, images of credit cards, and associated identifying data using unauthorized inputs or fields within Regpack. 

Any interactions with sensitive financial data within Regpack must be contained within the authorized widgets which are encrypted in accordance with PCI regulations.

Integrated Payment Reports

Regpack provides tokens to allow the client to create and export transaction reports in .csv format. Additionally, the client has the option to create and export transaction reports directly through dashboards maintained by our processing partners. The client can request access to these dashboards by contacting the Regpack’s Payments team at payments@regpacks.com. These reports will list all of the following elements as options to include in a report: transactions, including sales, refunds, chargebacks, and all details of each transaction, including name, amount, date, last 4 digits of credit card number, breakdown of commissions that were deducted from payment, and rate of each payment method.

Processing Fees

The credit card processing fees are determined according to the credit card issuer. Your processing rates can be provided by the Regpack Payments team upon request. American Express, Discover, and Diners cards will have an additional surcharge of 1.6% plus $.50 on Visa / Mastercard rates.

The client has the ability to limit the payment method offered within all of their projects independently. The options include, but are not limited to: credit card only, limiting specific type of credit cards allowed, or ACH only.

All processing fees are subject to change due to risk re-evaluation, law changes, credit card company policy, or third party price changes. The client’s funds can be subject to a hold by the processing partner due to their risk evaluation. The client's processing fees are determined during initial information provided to their Regpack Sales representative and are based on estimates of quoted processing volume and/or payment method ratio. The client will be asked to supply documentation in order to secure processing fee rates at the initial quoted rate amount. All processing fees will be subject to re-evaluation quarterly based on actual performance.

All processing fees are automatically deducted from the transactions prior to their deposit into the client’s bank account. The client will be given access to a dashboard maintained by the processing partners to review and reconcile any transactions processed through Regpack. The client can receive funds via ACH transfer or wire transfers. Transfers can be subject to additional fees based on the processing partner. The client has the option of a daily, weekly, or monthly deposits. 

Payment Risk Compliance

In order to reduce the risk of chargebacks and mass refunds, the client understands that Regpack can, at any time, require specific information be added to the client’s offerings, housed across all projects, in order to remain in compliance with risk protocols and guidelines from government entities, card issuers, Regpack's payment gateway agreements, and our internal risk standards. Any data not in compliance runs the risk of increased processing rates to compensate for risk increases. Specific data requirements include, but are not limited to, the date or date range of all in-person and virtual offerings, and the price and detailed description of all offerings. Regpack reserves the right to change the conditions of compliance as processing partners change or update their risk requirements at any time.

Refunds

The client can issue a refund via the embedded function in the Regpack’s administrative portal. If the client requires a refund more than 60 days after the transaction date or for a pending ACH payment, the client will need to send an email from an authorized licensee that will state: full name, email, and refund amount to payments@regpacks.com. The refund will be issued within 48-72 business hours. The user's balance will be updated accordingly, and the client will be able to see the refunds as negative amounts on the payment page at any time.

Chargebacks and ECP Reversals

The client will be charged a $15 fee for each chargeback. A chargeback is the return of funds to a consumer, initiated by the issuing bank of the instrument used by a consumer to settle a debt. Specifically, it is the reversal of a prior outbound transfer of funds from a consumer's bank account, line of credit, or credit card. These transactions are initiated by the consumer. If the client would like to challenge this transaction, the processing partner is solely responsible for the chargeback review process and the final determination on the status. The client will be charged a $4 ECP (Electronic Check Processing) reversal fee on a declined ACH payment. This can be due to insufficient funds, incorrect account number entered, because the account could not be located, or other factors.

Purchase Protection 

Purchase Protection is a 3rd party service that organizations can utilize in their projects at no additional cost. Purchase Protection covers the cost of eligible products for reimbursement of some or all of the user’s payment if eligibility (such as illness) criteria are met. The software provides tools to allow the client and their users to opt-in or opt-out of the service on a per-project basis. You can find the full Purchase Protection Terms of Service here.

Account/Admin Support

Regpack will provide support primarily via email during 9:00am-5:00pm PST Monday through Friday. We reserve the right to amend or adjust these hours without cause or prior notice.  All inquiries, concerns, requests, and issues will need to be communicated from any licensee directly to support@regpacks.com.

Project Updates/Maintenance

Regpack is not responsible for the day to day maintenance of the client’s project including, but not limited to: updating text, updating fields, updating products, updating emails, updating triggers or any function the client themselves have access to. If a client would like access to day to day maintenance, a Managed Account option is available, and detailed below.

Managed Account

Regpack has an optional expanded service where the client will have direct access to a dedicated Success Manager for an additional fee. This service does not expand on the support hours listed above nor does it replace the support process and guidelines that Regpack has in place.

 

This service is quoted according to the needs of the client. The expected base cost is $6,000 and must be paid annually upfront.

 

A Client Success Manager works with clients to ensure they're receiving the tools, resources, and support needed to achieve their registration and billing goals.

These clients:

  1. Will have a dedicated partner to consult them through their Regpack experience.

  2. Will have a dedicated person to make sure that they are taking full advantage of the software.

  3. Will have a dedicated person to help solve problems that arise who will share information and provide resources.

  4. Will have a dedicated person to have conversations with in regard to their business' strategic direction.

Development Requests

The product is sold "as is" and the Regpack has sole discretion on the features and functions contained within as well as the future development. Any client can submit feature requests, but there is no guarantee on development time or implementation. There is an option to submit requests for custom development for their project. This requires an additional fee and requests are subject to approval by the head of development and priced according to the scope of work.

End User Contact

Regpack does not provide direct support to any end users of the client. If we need to contact an end user while troubleshooting an issue, it is the responsibility of the client to act as the intermediary. All contact between the Regpack and any end users must be consented to by the client in a written notice. Regpack does not directly market to the client’s end users nor will we sell any end user information to any third parties without prior authorization from the client.

Account/Admin Support Eligibility

Regpack uses the admin level and/or permissions to confirm any individuals access to the project. Any support is only provided to individuals with an active admin license and support staff can only speak with an individual according to the projects they have access to. Any person(s) without an admin license is considered an unauthorized individual for security purposes.

Security

The product functions on encrypted servers with SSL 256 bit enabled. All information is processed through the SSL protocol in order to ensure the data transferred cannot be viewed by any unauthorized third parties. The product protects payment information by employing a split database mechanism where payment information is not saved with user information. Regpack is PCI-2 compliant and undergoes daily scans to confirm integrity, daily backups to protect information, and an independent audit to confirm the PCI compliance level. The payment information is saved on a PCI-1 compliant server that is employed with several safeguards including, but not limited to: encrypted API, available to limited IP addresses, rotating passwords and usernames, and protection algorithms created on the fly to create secure “handshakes”. The payment data can only be accessed within the Regpack’s network and the network of our processing partners. Any action done by the client that violates PCI compliance regulations will result in immediate suspension of the client’s account. All account information will be purged immediately. This includes but is not limited to:

  • Gathering any credit card or bank information outside of the Regpack checkout widget
  • Capturing payment information from end users outside of Regpack's approved integrated payments forms
  • Sharing login credentials or licenses with multiple individuals
  • Any other action violating PCI regulations

Compliance

Any client who’s willful negligence is found to be the cause of any disaster or major outage will be held liable for any cost incurred by Regpack or affected parties. Any third party partner company found in violation may have their access terminated.

Application Updates and Releases

Regpack will release development updates to the product as they are released. Any updates and their frequency and content are done at our sole discretion. Regpack will review all issues reported by the client. The release date for any issue fixes are determined solely by the Regpack's development team. The release date of any updates are primarily kept internally, but if shared, the dates are non-binding.

Development Timeline

For any custom quoted feature requests, a timeline will be provided to the project stakeholders. The timeline will be agreed upon prior to payment and will only be binding if payment is received by the date outlined in the provided quote. For project related tasks, such as admin email and/or name adjustments, or vendor account implementation, completion time is up to 14 business days. Any reported issue escalated to developer review can take up to 14 business days to investigate and if it is confirmed as legitimate, the above release guidelines will apply.

Ownership of Code

All applications, modules, systems, functions, abilities, and structures built by Regpack are our sole property. Any fees paid are for active accounts only and not for ownership. The client cannot claim rights to this property due to usage, payment, improvement, or participation in the development process.

Additional Disclaimers

Except as expressly provided in this agreement, the services are provided on an “as is” “as available” and “with all faults” basis. To the extent permitted by law, Regpack disclaims all implied conditions, representations, and warranties of any kind, including any implied warranty or condition of merchantability, fitness for a particular purpose, title, or non-infringement. We make no representations, warranties, conditions or guarantees as to the usefulness, quality, suitability, or completeness of the services or that they will be error-free, uninterrupted or free from defect. We reserve the right to update this agreement with no cause and no prior notice. By signing these terms, you acknowledge they may be changed or updated at any time without cause or prior notice.

Arbitration

These terms of service include an arbitration provision, below, that governs any disputes between the Regpack and the client. This provision will eliminate the right to a trial by jury, and substantially affect the rights, including preventing the client from bringing, joining, or participating in class or consolidated proceedings. Any controversy or claim arising out of or relating to this contract, or the breach thereof, shall be settled by arbitration in accordance with its Commercial [or other] Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. The location of the arbitration proceedings can be amended or adjusted according to local laws and statutes.

Data Storage Upon Suspension or Cancellation

As part of our compliance with GDPR, Regpack will not store or provide access to unnecessary user data. To comply with this standard, we will purge user data based on the status of your account. For suspended accounts, we can only store user information for up to 6 months. If you choose to suspend your account, it can only be suspended for a maximum of 6 months and will be automatically reactivated upon hitting this term limit. If you chose to cancel your account, this will result in all of your user information being purged immediately. All suspensions and cancellations must be requested and confirmed via written correspondence. All purged data cannot be recovered once removed. Billing on automatically reactivated accounts will resume according to terms outlined in this Agreement.

Limitation of Liability

(i) in no event will either party’s aggregate liability arising out of or related to this agreement, whether in contract, tort or under any other theory of liability, exceed fees actually paid to Regpack by client under this agreement in the twelve months preceding the incident(s) giving rise to liability.

(ii) Regpack does not assume any liability for client’s failure to perform in accordance with this agreement or any results caused by client’s acts, omissions or negligence, or a subcontractor or an agent of client or an employee of client or any of client’s agents or subcontractors, nor shall we have any liability for claims of third parties arising out of or resulting from, or in connection with, client’s products, client’s messages, client’s programs, client’s caller contracts, client’s promotions or advertising, infringement of any of client’s products , or any claim for libel or slander or for client’s violation of copyright, trademark, or other intellectual property rights with regard to any of client’s products.

Exclusion of damages

In no event will Regpack nor client have any liability to the other party or any other party for any lost profits, loss of business, goodwill or revenue, or for any indirect, special, incidental, punitive, or consequential damages however caused and, whether in contract, tort or under any other theory of liability, whether or not the party has been advised of the possibility of such damages. The client shall assume all responsibility and liability for processed payments, both automated and/or manually entered, delivering of purchased goods and/or services, use, production, and/or commercialization of the Licensed Technology, including, but not limited to, the safety, effectiveness, and reliability of the Licensed Products. Under no circumstances shall we be liable for any indirect, special, consequential or punitive damages of any kind resulting from the client’s practice of the rights granted hereunder. Remarks:

  1. Prices do not include VAT or any taxes that need to be added. If required, these will be added by the client in their system, according to the law.
  2. Regpack reserves the right to use the client logo and company name in marketing materials and promotions as one of the our accounts.
  3. The processing fee and any custom pricing in this document are valid for 30 days until signing and will continuously renew each month. The client can request a copy of our most up to date terms at any time by contacting support@regpacks.com.

Assignment

Regpack may only process personal data in accordance with your written instruction unless required to do so by law. By signing this document, you are giving Regpack permission to process personal data we collect on your behalf. We employ appropriate security measures to keep personal data processing secure. While we takes appropriate technical and organizational measures to ensure the security of data, by signing this document you agree that you will also take technical and organizational measures to ensure the security of personal data processing, including but not limited to: not sharing your admin credentials with anyone, not giving access to unauthorized individuals to your account, and ensuring other 3rd parties you use are in compliance with GDPR and all data protection laws when handling any of your data.

You are required to:

  • Ensure you are doing everything you can do keep personal data secure,
  • Notify any personal data breaches to Regpack immediately.
  • Delete data of a user should they request it, within 1 month of the request and free of charge.

Please note:

  • If you suspend your account, your data will be held by Regpack for up to 6 months. At this point, your account will be renewed or you can request cancellation.
  • If your account is canceled, ALL data will be scheduled to be purged from the platform immediately.
  • Only data that is required by law to be retained will be exempt from the purge.

Regpack Data Processing Agreement

Regpack, Inc. (“Regpack”) provides the Regpack service (the “Service”) through the domain Regpacks.com (the “Website”) which allows a customer to collect, analyze, and export user personal data. The party who has signed this agreement (the “Customer” also known as the ‘data controller’ as defined in this document) has signed up for the Service and has agreed to Regpack’s terms and conditions (including Regpack’s Privacy Policy (collectively the “Agreement”). This Regpack Data Processing Agreement (the “DPA”) is entered into between Regpack and Customer effective as of the last date of signature (“Effective Date”) and reflects the parties’ agreement with respect to the terms governing the processing and security of Personal Data under the Agreement. Terms not otherwise defined below will have the meaning set forth in the Agreement. The parties agree as follows:

Purpose

Each party agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement and in compliance with the Applicable Data Protections Laws.

Definitions 

In addition to the terms otherwise defined in the Agreement, the following terms have the definitions below:

2.1. “Applicable Data Protection Laws ” means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

2.2. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

2.3. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.4. “Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that the Customer chooses to provide to Regpack from its use of the Regpack service; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by the applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual.

2.5. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.6.    “Processor” means the entity which Processes Personal Data on behalf of the Controller.

2.7.    “Sub-processor” means any Processor engaged by Regpack. 2.8.    “User” means the identified or identifiable person to whom Personal Data relates.

Provision of Services

In the course of providing the Services to the Customer pursuant to the Agreement, Regpack may Process Personal Data on behalf of Customer and its Users. The parties agree and acknowledge that the Applicable Data Protection Laws may apply to the processing of Personal Data if, for example, the data processing is carried out on behalf of a Customer (or of an authorized Customer affiliate) with a presence in an EU Member State. Each party agrees to comply with the following provisions with respect to any Personal Data Processed during the provision of the Services. The parties acknowledge and agree that with regards to such Processing of Personal Data, Customer is the Controller and Regpack is the Processor.

Customer’s Processing

Customer, in its use of the Services, agrees to:

4.1. Process the Personal Data in accordance with the written instructions provided to Regpack as set forth in this DPA and the Agreement;

4.2. Comply with its protection, security, and other obligations with respect to Personal Data prescribed by the Applicable Data Protection Laws for data Controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data is processed on behalf of Customer; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses, including, but not limited to, providing notice and obtaining all consents and rights necessary to process Customer data and provide the Services pursuant to this DPA and the Agreement; and (c) ensuring compliance with the provisions of the Agreement and this DPA by its personnel or by any third-party accessing or using Personal Data on behalf of Customer; and

4.3. Upon request of Regpack, delete Customer Data as requested by the User through the deletion capability in the Regpack Services, as required by Applicable Data Protection Laws. If requested by Regpack, a user or the customer, provide such information to Regpack reasonable and necessary, including, but not limited to, user IDs associated with such User, for Regpack to unambiguously identify the User requesting such deletion.

Regpack Processing

Regpack shall treat Personal Data as Confidential Information and will only Process Personal Data in accordance with Applicable Data Protection Laws directly applicable to the Services, including, effective as of May 25, 2018, compliance with the GDPR. Regpack will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation.

5.1. Regpack will Process Personal Data (i) only for the purpose of providing, supporting and improving Regpack’s services (including providing insights and other reporting), using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Agreement. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Regpack in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Regpack. Regpack will not use or process the Personal Data for any other purpose. Regpack will inform Customer in writing if it cannot comply with the requirements under this DPA, in which case Customer may terminate their account with Regpack or suspend data processing operations.

5.2. Regpack will Inform Customer if, in Regpack’s opinion, an instruction from Customer violates Applicable Data Protection Laws.

5.3. Regpack will enter into contractual arrangements with Sub-processors binding them to provide the same level of data protection and information security to that is required by law. Regpack will not be liable for the acts and omissions of its Sub-processors.

5.4. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Regpack shall have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, Regpack is the Data Controller of such data and accordingly shall process such data in accordance with the Regpack Privacy Policy and Applicable Data Protection Laws.

User Request

Regpack shall not respond to a User Request without Customer’s prior written consent except to confirm that such request relates to Customer, to which Customer hereby agrees. To the extent Customer, in its use of the Services, does not have the ability to address a User Request or if the Customer fails to address a User Request within ten (10) days, Regpack shall provide commercially reasonable assistance to facilitate such User Request to the extent Regpack is legally permitted and/or required to do so, technically can provide assistance and provided that such User Request is exercised in accordance with Applicable Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Regpack’s provision of such assistance.

Transfers of EU Data

For transfers of EU Personal Data to Regpack for processing by Regpack in a jurisdiction other than a jurisdiction in the EU, the EEA, or the European Commission-approved countries providing ‘adequate’ data protection, Regpack agrees it will (a) comply with and provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks; or (b) use the form of the Standard Contractual Clauses set forth in Exhibit 1 to enable the lawful transfer of EU Personal Data. Regpack shall promptly notify Customer of any inability by Regpack to comply with the provisions of this Section.

Regpack Personnel

8.1. Confidentiality. Regpack shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Regpack shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

8.2. Reliability. Regpack shall take commercially reasonable steps to ensure the reliability of any Regpack personnel engaged in the Processing of Personal Data.

8.3. Limitation of Access. Regpack shall ensure that Regpack’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

8.4. Data Protection Officer. Regpack has appointed a data protection officer. The appointed person may be reached at support@regpacks.com.

Deletion

On the expiration or termination of the Agreement (or, if applicable on expiration of any post-termination period during which Regpack may agree to continue providing access to the Services), after a recovery period of up to 30 days following such expiration or termination, Regpack will delete any Personal Information then in its possession and/or control within a maximum period of 90 days, unless applicable legislation or legal process prevents it from doing so.

Access; Export of Data

During the term of the Agreement, Regpack will make available to Customer, the Personal Data in a manner consistent with the functionality of the Services and in accordance with the terms of the Agreement. To the extent Customer, in its use and administration of the Services during the term of the Agreement, does not have the ability to amend or delete Personal Data (as required by applicable law), or migrate Personal Data to another platform, Regpack will, at Customer’s reasonable expense, comply with any reasonable requests from Customer to assist in facilitating such actions to the extent Regpack is legally permitted to do so and has reasonable access to the relevant Personal Data.

Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the rights and freedoms of natural persons, Processor and each Processor affiliate, shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk including, as appropriate, the measures referred to in the GDPR. Processor shall maintain appropriate technical and organizational measures for protection of Personal Data (including protection against unauthorized or unlawful Processing, against accidental or unlawful destruction, loss, alteration or damage, and unauthorized disclosure of, or access to, Personal Data). Processor will not materially decrease its overall security of the Personal Data during the term of the Agreement.

Data Storage Upon Suspension or Cancellation

As part of our compliance with GDPR, Regpack will not store or provide access to unnecessary user data. To comply with this standard, we will purge user data based on the status of your account. For suspended accounts, we can only store user information for up to 6 months. If you choose to suspend your Regpack account, it can only be suspended for a maximum of 6 months and will be automatically reactivated upon hitting this term limit. If you chose to cancel your account, this will result in all of your user information being purged immediately. All suspensions and cancellations must be requested by the Cancellation Request form and confirmed via written correspondence. All purged data cannot be recovered once removed. Billing on automatically reactivated accounts will resume according to terms outlined in this agreement.

Limitation of Liability

Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement. For the avoidance of doubt, Regpack’s and its affiliates’ total liability for all claims from the Customer arising out of the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement and will not exceed the overall admin fees paid by Customer.

Order of Precedence

This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the parties addressed under this DPA, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. In the event of a conflict between the terms of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

Exhibit 1 – Standard Contractual Clauses

Name of data importing organization: Regpack, Inc. Address: 530 B St, Suite 1500 San Diego, CA 92101 E-mail: support@regpacks.com (the “data importer”) For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection the parties have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1 Definitions For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2 Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3 Third-party beneficiary clause

  • The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), Clause 6, Clause 7, and Clause 9.
  • The data subject can enforce against the data importer this Clause, Clause 5(a) to (e), Clause 6, Clause 7, Clause 8, and Clauses 9 to 11, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  • The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e), Clause 6, Clause 7, Clause 8, and Clauses 9 to 11, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  • The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4 Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with acceptable security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8 to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5 Obligations of the data importer (Regpack Inc)

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorised access; and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

Clause 6 Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation only from the data exporter for the damage suffered.

Clause 7 Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

Clause 9 Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely United States.

Clause 10 Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11 Obligation after the termination of personal data-processing services

The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, after a period of 30 days, at the choice of the data exporter, destroy all the personal data transferred and the copies thereof to the data exporter and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): United States The Data Exporter is a/an entity who will use the Services provided by the Data Importer pursuant to the Agreement.

Data importer

Data importer is the owner and operator of SaaS application that allows the customer to collect, analyze, and export user personal data with data exporter’s services and website.

Data subjects

Data subjects include the individuals about whom data is provided to Data Importer via the Services by (or at the discretion of) the Data Exporter. This may include, but is not limited to, personal data relating to the Data Exporter customers and employees.

Categories of data

The personal data transferred concern the following categories of data: Name, personal addresses, telephone numbers, email, birthdates, payment details, IP addresses.

Processing operations

The personal data transferred will be subject to the following basic processing activities: personal data may be received, processed and stored in order to provide the Services, to communicate with the data exporter and to otherwise fulfill its obligations under the Agreement; access for customer service; in accordance with your use of features; abuse detection, prevention, and remediation; maintaining, improving, and providing our Services. Sub-processors Data exporter consents to sub-processing by the following subcontractors: Bluesnap, WePay, CardConnect, Mailgun, FullStory, BounceX, Incapsula, Rackspace. Data exporter agrees the data importer is not liable for any and all acts of the subcontractors.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses. Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached): In processing personal data under the Agreement, the Data Importer represents and warrants that it has implemented and will maintain the administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of personal data uploaded to the Services, as described in and set out in Regpack Security. Data importer will not materially decrease the overall security of the Services during the term of the Agreement .

Related articles