1. Background

a) This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Master Subscription Agreement or the Contentful Terms of Service, as applicable (“Main Agreement”), under which Contentful provides services (“Contentful Services”) to Customer.

b) Capitalized terms used in this DPA have the meaning set forth herein. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Main Agreement. Terms that are not capitalized are interpreted in accordance with applicable data protection and privacy laws.

c) This DPA does not change the terms of the Main Agreement but only supplements the Main Agreement for purposes of personal data processing.

d) This DPA applies to processing European personal data (that is, any personal data subject to the GDPR, the UK GDPR and the Swiss Data Privacy Act). “GDPR” (General Data Protection Regulation) means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. “UK GDPR“ means the Data Protection Act 2018 and the UK General Data Protection Regulation. “Swiss Data Privacy Act“ means the Swiss Federal Act on Data Protection of 19 June 1992.

e) To the extent California consumers’ personal information is processed, Schedule 4 applies.

f) This DPA is subject to the governing law and jurisdiction provisions in the Main Agreement unless and to the extent required otherwise by applicable data protection and privacy laws.

g) This DPA becomes effective and remains in effect for as long as personal data is processed as per the Main Agreement.

2. Scope of Application

a) While providing Contentful Services, it may be necessary for Contentful to process personal data for Customer (“Customer Data”, see Schedule 1). Contentful is the Data Processor of such personal data and Customer is the Data Controller.

b) In case of contradictions between this DPA and the provisions of other agreements, in particular the Main Agreement, the provisions of this DPA prevail. The provisions of the Standard Contractual Clauses attached in Schedule 3 prevail, where applicable, over this DPA to the extent of any discrepancy between the two.

c) This DPA does not apply to "Service Data" which means any data relating to the Customer’s use, support and/or operation of Contentful Services and Contentful websites, including information relating to Customer personnel such as activity logs, use patterns, cookie data or other information regarding use of Contentful Services and Contentful websites. To the extent any Service Data is considered personal data under applicable data protection and privacy laws, Contentful is responsible as a Data Controller, and processes such data in accordance with its privacy notice available at contentful.com/legal and applicable data protection and privacy laws.

3. Subject, Scope and Duration of Processing

a) Contentful processes Customer Data exclusively on behalf of Customer and on Customer instructions in terms of GDPR article 28 (1).

b) Schedule 1 to this DPA contains a comprehensive list of the types of Customer Data that Contentful may process, in which manner, for what purposes, and to which categories of data subjects such data relate.

4. Scope of Customer's Authority to Issue Instructions

a) Instructions related to processing Customer Data must be documented. Customer’s instructions are exclusively included in the Main Agreement and this DPA or given via the authorized use of Contentful Services.

b) Contentful must inform Customer immediately in writing if in Contentful’s reasonable opinion Customer’s instructions conflict with this DPA, an earlier instruction or applicable data protection laws.

c) Customer hereby instructs Contentful to process Customer Data and, in particular, to transfer Customer Data to any country or territory as reasonably necessary for the provision of Contentful Services in accordance with the Main Agreement and this DPA.

5. Obligations and Legal Status of Customer as Data Controller

a) Customer is responsible for its compliance with applicable laws and the lawful processing of Customer Data in relation to the data subjects as well as for safeguarding the rights of data subjects.

b) As between the parties, Customer is and remains the owner of Customer Data and the holder of all rights relating to Customer Data.

6. Security of Processing

a) Contentful takes appropriate technical and organizational measures to ensure a suitable level of protection for Customer Data corresponding to the risk of the respective data processing. This must be in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the processing as well as the varying likelihood and severity of risk to the rights and freedoms of data subjects.

b) Customer has assessed the security measures offered by Contentful to meet the standards required by applicable data protection and privacy laws as at the effective date hereof. Such technical and organizational measures are specified in Schedule 2 to this DPA and/or in the Main Agreement and Contentful will maintain those (or effectively similar) measures during the term.

7. Sub-processors

a) Customer hereby authorizes Contentful to appoint sub-processors in accordance with this section.

b) Contentful can continue using those sub-processors already engaged by Contentful as at the date of this DPA, subject to Contentful meeting the obligations set out in this section.

c) Prior to engaging new or replacement sub-processors Contentful will notify Customer. Customer is entitled to provide reasonable objections to any change notified by Contentful within a reasonable time (which reasonable time may be set by Contentful in such notification) and for materially important reasons. If Customer fails to object to such change within such reasonable time, Customer is deemed to have consented to such change. Where a materially important reason for such objection exists and an amicable resolution fails, Contentful may terminate the Main Agreement.

d) If Contentful engages sub-processors, Contentful (i) remains liable under this DPA for the acts and omissions of sub-processors and (ii) will enter into written agreements with such sub-processors containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such subprocessor.

8. Data Subject Rights

a) If a data subject contacts Contentful to exercise the data subject’s legal rights, Contentful will not respond to such request but forward such request to Customer without undue delay. Contentful may only respond to data subject requests after a prior written approval by Customer or as required by laws to which Contentful is subject. In such a case Contentful will, to the extent permitted by applicable laws, inform Customer of that legal requirement before responding to the request.

b) Taking into account the nature of processing, Contentful will assist Customer by implementing appropriate technical and organizational measures, as is reasonable, for the fulfilment of Customer’s obligations to respond to data subject requests.

c) Contentful will rectify, delete or block Customer Data on Customer’s instructions unless otherwise required by applicable law.

d) If a data subject has a right to data portability with respect to Customer Data, Contentful will ensure that Customer can obtain such data in a structured, common and machine-readable format.

9. Data Breach

a) Contentful will inform Customer of any data breach affecting Customer Data without undue delay and, in any event, so as to facilitate the parties’ compliance with applicable law (such as notification timelines set by GDPR, article 33 (1)). Contentful must inform Customer, to the extent known, about the type of breach, the categories and the number of data subjects, the data affected, and the number of data sets affected.

b) Contentful will without undue delay take all necessary and reasonable measures to remedy the data breach. Contentful will inform Customer as soon as reasonably possible about such measures and keep Customer informed as reasonably practicable.

10. Return and deletion of Customer Data

a) Contentful is prohibited from actively processing Customer Data after termination of the Main Agreement.

b) At the choice and request of Customer, all Customer Data must be either completely and irretrievably deleted (or otherwise obliterated such that it cannot be recovered or reconstructed) or returned to Customer within a reasonable time after Customer request.

c) Contentful may retain Customer Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws.

11. Cross Border Data Transfers Mechanism

a) If any Customer Data transfer between Customer and Contentful requires execution of Standard Contractual Clauses in order to comply with the Applicable Laws (where Customer is the Data Exporter), the terms and conditions of Appendix 3 (Standard Contractual Clauses - Cross Border Transfer Mechanisms – Module two « Controller to Processor ») will apply.

b) Sub-processors : When necessary to comply with the Applicable Laws, Contentful has executed with its sub-processors either the Standard Contractual Clauses adopted by European Commission decision 2004/915/EC on 27 December 2004), in the name and on behalf of Customer, which authorization Customer hereby grants to Contentful; or the the Standard Contractual Clauses (Module 3 « Processor to Processor »)approved by the European Commission in decision 2021/914.

12. Audit

a) To the extent that the Main Agreement does not otherwise give the information and audit rights meeting the relevant requirements of data protection and privacy laws (including, where applicable, article 28(3)(h) GDPR), Contentful will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the processing of Customer Data. Contentful will not unreasonably withhold or delay agreement to an auditor selected by Customer.

b) The audits and inspections referred to in subsection a) are primarily carried out by Customer auditing and inspecting audit reports resulting from an audit performed by an independent third-party information security expert at Contentful expense and choice in accordance with Contentful’s ISO 27001 compliant information security management system. Customer hereby instructs Contentful to perform audits for purposes of privacy compliance under this DPA as described in this subsection b).

c) If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to Contentful in writing reasonably in advance of an expected audit. If the parties fail to reach an amicable resolution on altered audit instructions, Contentful may terminate the Main Agreement.

d) Audits will be subject to customary confidentiality undertakings or professional duty of confidentiality. Customer will give Contentful reasonable notice of any audit or inspection and will take (and ensure that auditors take) all reasonable endeavors to minimize disruption to Contentful’s business, including e.g. carrying out the audits during normal business hours.

e) Customer will not carry out more than one audit per year of the Main Agreement term unless (i) Customer reasonably considers it necessary because of genuine and demonstrable concerns as to Contentful’s compliance with this DPA or applicable data protection and privacy laws; or (ii) Customer is required or requested to carry out an audit by data protection and privacy laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or applicable data protection and privacy laws.

f) All costs and expenses arising from audits are borne by Customer.

g) Nothing herein limits any rights mandated by law, such as supervisory authority and data subject rights, including in accordance with the Standard Contractual Clauses.

13. Other Contentful Obligations

a) If Customer is required to provide information to a supervisory authority relating to processing of Customer Data, or to otherwise cooperate with a public authority, Contentful will support Customer by providing such information reasonably available to it or otherwise reasonably cooperating with Customer. This applies in particular to information and documents relating to technical and organizational measures taken in line with article 32 GDPR.

b) To the extent necessary and reasonable, Contentful will support Customer with data protection impact assessments as well as with any subsequent consultation (if applicable) with the supervisory authorities in the meaning of articles 35 and 36 GDPR.

c) Customer will reimburse to Contentful the reasonable cost and expenses arising out of Contentful’s support to Customer in accordance with this section.

Schedule 1: Purposes and scope of the processing, type of data and categories of data subjects

For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 1 serves as Appendix 1.

Type of Customer Data	Customer Content which may include personal data at Customer’s choice. Such Customer Content is typically editorial material intended for websites. IP address of the end user of the Customer Applications – if Customer Applications are integrated with Contentful Services in a way that discloses such personal data.No sensitive data are transferred.
Type of processing	Cloud based content management infrastructure, software and services.
Retention Period	Customer Data deleted or returned at the termination of Main Agreement.
Frequency of processing	Continuous basis for the duration of the Main Agreement.
Nature of processing	Any operation necessary for the performance of the Main Agreement.
Purposes of processing	Performance of the Main Agreement and provision of Contentful Services and related support services; hosting Customer Content and serving it via application programming interfaces to Customer Applications.
Categories of data subjects	Customer Content may include personal data, the data subjects of which are controlled and determined by Customer at its discretion. Possibly Customer personnel and contractors using Contentful Services and communicating with Contentful. Possibly end users of the Customer Applications.

Schedule 2: Technical and organizational measures

For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 2 serves as Appendix 2.

This Schedule 2 may be replaced by Contentful security policy by appending or referencing and incorporating such policy herein:

https://www.contentful.com/legal/de/2017-01-31/security/

Schedule 3: Standard Contractual Clauses

1. Definitions

a. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following:

(i) UK Standard Contractual Clauses; and (ii) 2021 Standard Contractual Clauses.

b. “UK Standard Contractual Clauses” means Standard Contractual Clauses for Data Controller to Data Processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”); and

c. "2021 Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. UK Standard Contractual Clauses. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by reference) and the UK Data Controller to Data Processor SCCs will apply where Contentful is a Data Processor. The indemnification clause will not apply. Annex 1 serves as Appendix 1 of the UK Controller to Processor SCCs. Annex 2 serves as Appendix 2 of the UK Data Controller to Data Processor SCCs.

3. The 2021 Standard Contractual Clauses. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses Module Two (Data Controller to Data Processor) will apply where Customer is a Data Controller and Contentful is a Data Processor

(i) in Clause 7, the docking clause will not apply;

(ii) in Clause 9, Option 2 (‘General written authorization’) will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (sub-processors) of this Data Processing Agreement;

(iv) in Clause 17, the 2021 Standard Contractual Clauses will be governed by German law.

(v) in Clause 18(b), disputes will be resolved before the courts of Berlin (Germany)

(vi) In Annex I, Part A: Data Exporter: Customer and authorized affiliates of Customer. Contact Details: Customer’s account owner email address. Data Exporter Role: Data Controller Signature & Date: By entering into the Main Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer: Contentful Inc; Contentful GmbH Contact Details: Contentful Privacy Team - privacy@contentful.com Data Importer Role: Data Processor Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

(vii) In Annex I, Part B: the details are provided in Schedule 1 of the Data Processing Agreement. For transfers to sub-processors, the subject matter, nature is outlined at https://www.contentful.com/legal/privacy-at-contentful/sub-processors/ and the duration of the processing is the duration of the Main Agreement.

(viii) In Annex I, Part C: The Berlin Data Protection Authority (Berliner Beauftragte für Datenschutz und Informationsfreiheit) will be the competent supervisory authority.

(ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.

4. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, the provisions of the Standard Contractual Clauses will prevail.

Schedule 4: CCPA Addendum

The DPA applies, subject to this Schedule 4, to processing Californian personal information (that is, any personal information subject to the CCPA). “CCPA” means the California Consumer Privacy Act of 2018, California Civil Code Section 1798.100 et. seq., including all regulations enacted in connection therewith as the same may be amended, supplemented, or replaced from time to time.

With respect to Californian personal information, this Schedule 4 prevails over any conflicting terms of the Main Agreement and the DPA but does not modify them. Capitalized terms not otherwise defined in this Schedule 4 have the meaning given in the Main Agreement and the DPA. For purposes of this Schedule 4 and the CCPA, the term “personal data” as used in the DPA includes “personal information”. Similarly, other terms used in the DPA are interpreted to include their closest equivalent under the CCPA. All terms that are not capitalized in this Schedule 4 are interpreted in accordance with the CCPA.

1. Customer is a business and appoints Contentful as a service provider to process personal information on behalf of Customer. Customer will comply with the CCPA applicable to it as a business.

2. This Schedule 4 applies to the collection, retention, use, and disclosure of personal information to provide services to Customer pursuant to the Main Agreement.

3. Contentful may not otherwise retain, use, or disclose personal information for any purpose other than (i) for the specific purpose of performing the services, (ii) in accordance with Customer’s documented lawful instructions as set forth in the DPA, (iii) as necessary to comply with applicable law, (iv) as otherwise agreed in writing, or (v) as otherwise permitted for service providers under the CCPA. Contentful hereby certifies that it understands and will comply with the restrictions outlined herein.

4. Contentful’s obligations regarding data subject requests, as described in section 8 (Data Subject Rights) of the DPA, apply to consumers’ rights under the CCPA.