- Acceptable use policy
- Contentful AI Terms of Service
- Digital Services Act
- DMCA takedown notice
- Marketplace terms
- Modern slavery and human trafficking statement
- Privacy at Contentful
- Service level agreement
- Terms of service
- Terms of service Developer Showcase
- Trademark and Brand Use Policy
- Trial Terms of Service
- Legal FAQ
- Security addendum
- Other versions of this document
This Data Processing Addendum (“DPA”) forms part of and is subject to the Master Subscription and Services Agreement or such other agreement entered into between the parties (the “Agreement”) under which Contentful provides the cloud-based content management and publication platform as a service offering (“Subscription Services”) to Customer. Customer and Contentful are collectively referred to in this DPA as the “Parties” and each a “Party”. Capitalized terms not otherwise defined in this DPA have the meaning given to them in the Agreement.
1. Definitions
1.1. “Affiliates” has the same meaning set forth in the Agreement.
1.2. “Authorized Affiliates” are Customer Affiliates who have entered into service orders, statements of work or to which Customer has granted a sublicense to the Subscription Services.
1.3. “CCPA” means the California Consumer Privacy Act of 2018, as may be amended, supplemented or replaced from time to time, including the California Privacy Rights Act of 2020.
1.4. “Customer Content” has the same meaning set forth in the Agreement.
1.5. “Customer Personal Data” means the Personal Data contained within Customer Content.
1.6. “Data Breach” means a breach of Contentful’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
1.7. “Data Protection Laws” means all data protection and privacy laws applicable to the respective Party in its role in the Processing of Customer Personal Data under the Agreement, including without limitation, European Data Protection Laws and US Data Protection Laws.
1.8. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
1.9. “European Data Protection Laws” means, to the extent applicable to the respective Party in its role in the Processing of Customer Personal Data under the Agreement, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) the GDPR as it forms part of United Kingdom law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection of 25 September 2020 and the Swiss Ordinance of 31 August 2022 on Data Protection and; (iv) any implementing, supplementing, or successor legislation to those laws and regulations identified in subsections (i)-(iii) of this paragraph.
1.10. “Personal Data” means any information relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including “personal data” under GDPR and “personal information” under the CCPA.
1.11. “Standard Contractual Clauses” means, depending on the circumstances unique to any particular Customer, any of the following: (i) “EU SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021, currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and/or; (ii) “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and/or; (iii) “Swiss Addendum” means the EU SCCs as modified in Schedule 3 to this DPA to address the Swiss Federal Act on Data Protection of 25 September 2020 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 31 August 2022 on Data Protection, including any implementing, supplementing, or successor legislation.
1.12. “Sub-processor” means any other Processors engaged by Contentful to Process Customer Personal Data.
1.13. “US Data Protection Laws” means, to the extent applicable to the respective Party in its role in the Processing of Customer Personal Data under the Agreement, federal and state laws relating to data protection, privacy and/or the Processing of Personal Data in force from time to time in the United States.
1.14. The terms “Controller”, “Processor”, and “Processing” (including Process, Processed, and Processes) shall have the respective meanings ascribed to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in European Data Protection Laws will apply.
2. Scope of Application
2.1. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. The provisions of the Standard Contractual Clauses attached in Schedule 3 prevail, where applicable, over this DPA to the extent of any discrepancy between the two.
2.2. Contentful’s obligations in this DPA shall also extend to Authorized Affiliates, provided that (i) only Customer can communicate any additional Processing instructions pursuant to this Section 2; (ii) all acts and/or omissions by an Authorized Affiliate with respect to Customer’s obligations in this DPA shall be considered the acts and/or omissions of Customer; and (iii) any claims by an Authorized Affiliate against Contentful in relation to this DPA must be brought by Customer directly against Contentful on behalf of such Authorized Affiliate.
2.3. This DPA becomes effective from the date last signed by the Parties below (“Effective Date”) and remains in effect for as long as Contentful Processes Customer Personal Data pursuant to the Agreement.
3. Roles of Parties
3.1. For the purposes of GDPR, Contentful acts as a Processor on behalf of Customer who acts as either: (i) a Controller; or (ii) a Processor on behalf of another Controller.
3.2. For the purposes of US Data Protection Laws, Contentful will act as a “service provider” or “processor” (as defined under US Data Protection Laws), as applicable, in its performance of its obligations pursuant to the Agreement and this DPA.
3.3. As between the Parties, Customer is and remains the owner of Customer Personal Data and the holder of all rights relating to Customer Personal Data.
4. Processing of Customer Personal Data Pursuant to Customer’s Instructions
4.1. Each Party will comply with its respective obligations under Data Protection Laws. Contentful shall Process Customer Personal Data solely on behalf of Customer and on Customer’s written instructions which are set forth in the Agreement and this DPA. Any additional requested instructions require the prior written agreement of the Parties. Contentful shall promptly notify Customer if Contentful determines that such instructions conflict with European Data Protection Laws. Without limiting the foregoing, Contentful is prohibited from:
4.1.1. selling Customer Personal Data or otherwise making Customer Personal Data available to any third party for monetary or other valuable consideration;
4.1.2. sharing Customer Personal Data with any third party for cross-context behavioral advertising;
4.1.3. retaining, using, or disclosing Customer Personal Data for any purpose other than for the business purposes specified in the Agreement or as otherwise permitted by Data Protection Laws; and
4.1.4. combining Customer Personal Data with other Personal Data that Contentful receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject. 4.2. Contentful will notify Customer without delay if Contentful determines that it can no longer meet its obligations under US Data Protection Laws. Upon such notice, Customer may direct Contentful to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by suspending the relevant Processing operations and/or deleting all or the relevant portion of Customer Personal Data; or by such other means as agreed to by the Parties.
4.3. The details of the Processing of Customer Personal Data under the Agreement and this DPA (e.g., subject matter, nature, duration and purpose of the Processing, categories of Personal Data and Data Subjects) are set forth in the Agreement and/or Schedule 1 to this DPA.
5. Customer Obligations
5.1. Customer is responsible for obtaining all necessary consents (including, but not limited to, consents for tracking technologies on Customer’s applications), permissions and rights, and for providing appropriate notices, regarding the collection and Processing of Customer Personal Data required under Data Protection Laws for Contentful to lawfully Process Customer Personal Data to provide the Subscription Services.
5.2. Customer shall not instruct (including in its use of the Subscription Services) Contentful to Process Customer Personal Data in violation of Data Protection Laws.
5.3. Customer is responsible for making an independent determination as to whether its use of the Subscription Services will meet Customer’s requirements and legal obligations under Data Protection Laws. Contentful shall have no obligation to assess the contents or accuracy of Customer Content.
6. Security of Processing
6.1. Contentful takes appropriate technical and organizational measures to ensure an adequate level of protection for Customer Personal Data corresponding to the risk of the respective Processing. Such measures are in consideration of the state of the art, implementation costs and the type, scope, circumstances, and aims of the Processing as well as the varying likelihood and severity of risk to the rights and freedoms of Data Subjects.
6.2. Contentful will implement the technical and organizational measures specified in Schedule 2 to this DPA and/or in the Agreement and Contentful will maintain those (or effectively similar) measures during the term of the Agreement. Customer has assessed these security measures and acknowledges and agrees that they ensure a level of protection for Customer Personal Data that is appropriate to the risk.
6.3. Contentful shall ensure that any person who is authorized by Contentful to Process Customer Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty). Contentful personnel will not access Customer Content except as reasonably necessary to provide the Subscription Services pursuant to the Agreement or to comply with applicable law or binding order of a government body.
7. Sub-processors
7.1. Customer hereby authorizes Contentful to appoint Sub-processors in accordance with this section.
7.2. Contentful can continue using those Sub-processors already engaged by Contentful as of the Effective Date and that are listed at https://www.contentful.com/legal/privacy-at-contentful/sub-processors/ (“Sub-processor Site”), subject to Contentful meeting the obligations set out in this section.
7.3. Contentful shall make available on its Sub-processor Site a mechanism to subscribe to notifications of new Sub-processors and prior to engaging new Sub-processors, Contentful will notify Customer through such mechanism. Customer is entitled to provide reasonable objections to any change notified by Contentful within 21 days and for materially important reasons relating to the new Sub-processor’s proposed Processing of Customer Personal Data. If Customer fails to object to such change within this time, Customer is deemed to have consented to such change. Where a reasonable and materially important basis for such objection exists and an amicable resolution fails, Customer, as its sole and exclusive remedy, may provide written notice to Contentful terminating the Provisioning Documents with respect only to those aspects which cannot be provided by Contentful without the use of the new Sub-processor. Contentful will refund Customer any prepaid unused fees of such Provisioning Documents following the effective date of termination.
7.4. Contentful (i) remains liable under this DPA for the acts and omissions of Sub-processors and (ii) will enter into written agreements with such Sub-processors containing data protection obligations not less protective than those in this DPA, and including Standard Contractual Clauses, to the extent applicable to the nature of the services provided by such Sub-processor.
8. Data Subject Requests
8.1. If a Data Subject contacts Contentful to exercise the Data Subject’s rights regarding Customer Personal Data as permitted under Data Protection Laws (“Data Subject Request(s)”) and the Data Subject identifies as originating from Customer, Contentful will not respond to such request but will instead forward such request to Customer without undue delay. The Subscription Services include functionality that allow Customers to respond to Data Subject Requests and, to the extent Customer is unable to independently respond to a Data Subject Request, Contentful will provide reasonable assistance upon Customer’s written request.
8.2. If a Data Subject has a right to data portability with respect to Customer Personal Data, Contentful will ensure that Customer can obtain such data in a structured, common and machine-readable format.
9. Data Breach
9.1. If Contentful becomes aware of a Data Breach, it will notify Customer without undue delay and, in any case, where feasible, within 72 hours after becoming aware, so as to facilitate Customer’s compliance with Data Protection Laws (such as notification timelines set by GDPR Article 33 (1)). Notification will be sent to the email address that Customer has specified within the Subscription Services to receive security-related notifications. Where no such email address is provided, Customer acknowledges that the means of notification shall be at Contentful’s reasonable discretion (which may include using other Customer-designated email addresses such as the administrator or owner of the relevant organization), and that this may impact Contentful’s ability to timely notify. Contentful shall notify Customer, to the extent known, about the nature of the Data Breach, the identities, categories and number of Data Subjects affected, and the number of data sets affected.
9.2. Contentful will, without undue delay, take all necessary and reasonable measures to mitigate or contain the Data Breach. Contentful will inform Customer as soon as reasonably possible about such measures and keep Customer informed as reasonably practicable.
10. Return and deletion of Customer Personal Data
10.1. The Subscription Services include the ability to retrieve or delete Customer Personal Data during the term of the Agreement. Within 35 days of written request by Customer upon termination or expiration of the Agreement, Contentful will delete (such that it cannot be recovered or reconstructed) all Customer Content, including Customer Personal Data, within its possession or control.
10.2. Contentful may retain Customer Personal Data after termination of the Agreement only to the extent and for such period as required by applicable laws. Any Customer Personal Data retained by Contentful under this section shall be Processed in compliance with the terms of this DPA and shall only be Processed as necessary for the purposes specified in the applicable laws requiring its retention.
11. Cross Border Data Transfers Mechanism. If Customer transfers any Customer Personal Data to Contentful requiring the execution and application of Standard Contractual Clauses in order to comply with European Data Protection Laws , the terms and conditions of Schedule 3 will apply.
12. Audit
12.1. To the extent that the Agreement does not otherwise give the information and audit rights pertaining to the processing of Customer Personal Data and meeting the relevant requirements of Data Protection Laws (including, where applicable, GDPR Article 28(3)(h)), Contentful will upon reasonable request make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, by Customer or an auditor designated by Customer and agreed to by Contentful, which consent will not be unreasonably withheld. 12.2. The audits and inspections referred to in Section 12.1 are primarily carried out by Customer reviewing and inspecting audit reports resulting from an audit performed by an independent third-party information security expert at Contentful’s expense and choice in accordance with Contentful’s ISO 27001 compliant information security management system. Customer hereby instructs Contentful to perform audits for purposes of privacy compliance under this DPA as described in this section 12.2.
12.3. If Customer wishes to alter its above instructions concerning audits, Customer will issue a suggestion for altered audit instructions to Contentful in writing reasonably in advance of the requested audit and the Parties will mutually agree upon the details of the audit. Customer will take all reasonable endeavors to minimize disruption to Contentful’s business. The audit and any information arising therefrom shall be considered Contentful’s Confidential Information and may only be shared with a third-party with Contentful’s prior written agreement. Contentful reserves the right to charge a fee (rates shall be reasonable, taking into account the resources expended by Contentful) for audits described in this section 12.3.
12.4. Customer will not carry out more than one audit per year of the Agreement term unless: (i) Customer reasonably considers it necessary because of genuine and demonstrable concerns as to Contentful’s compliance with this DPA or Data Protection Laws; or (ii) Customer is required to carry out an audit by Data Protection Laws, a supervisory authority or any similar regulatory authority responsible for enforcement of such laws; or (iii) if an earlier audit has identified non-conformity with this DPA or Data Protection Laws.
12.5. Nothing herein limits any rights mandated by law, such as supervisory authority and Data Subject rights, including in accordance with the Standard Contractual Clauses.
13. Cooperation Obligations
13.1. If Customer is required to provide information to a supervisory authority or to otherwise cooperate with a public authority, relating to Processing of Customer Personal Data, Contentful will support Customer by providing such information reasonably available to it or otherwise reasonably cooperating with Customer, including as such information relates to technical and organizational measures taken in line with Article 32 GDPR.
13.2. To the extent necessary and reasonable, Contentful will support Customer by providing reasonably requested information regarding the Subscription Services to enable Customer to carry out data protection impact assessments or consultation (if applicable) with data protection authorities as required by Data Protection Laws.
14. Relationship to Agreement
14.1. This DPA shall replace and supersede any existing data processing addendum, attachment, exhibit or standard contractual clauses that Contentful and Customer may have previously entered into in connection with the Subscription Services. This DPA is subject to the governing law and jurisdiction provisions in the Agreement unless and to the extent required otherwise by Data Protection Laws.
14.2. Each Party and each of its Affiliates’ liability, taken in the aggregate, arising out of or related to this DPA (including the Standard Contractual Clauses where applicable), whether in contract, tort or under any other theory of liability, are subject to the limitations and exclusions of liability set out in the Agreement.
Schedule 1: Details of Processing
For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 1 serves as Annex I, Part B.
Categories of Customer Personal Data | The types of Customer Personal Data are determined and controlled by Customer in its sole discretion. Such Customer Personal Data typically consists of editorial material intended for websites and may include, but is not limited to, business contact information (e.g., names, email addresses, phone numbers). To the extent Customer elects to use Ninetailed by Contentful, in addition to the above, Customer Personal Data about Customer’s end users and visitors to Customer’s applications may be Processed. Such Customer Personal Data is also determined and controlled by Customer in its sole discretion and typically consists of the following information:
No “special categories of personal data” or similarly sensitive Personal Data are transferred. |
Categories of Data Subjects | Customer Content may include Personal Data, the Data Subjects of which are controlled and determined by Customer at its sole discretion. To the extent Customer elects to use Ninetailed by Contentful, in addition to the above, the Customer Personal Data also relates to Customer’s end users and visitors to their applications. |
Duration of Processing | Duration of the Agreement, including this DPA as described in Section 10 herein. |
Frequency of Processing | Continuous basis for the duration of the Agreement |
Nature of Processing | Any operation necessary for the performance of the Agreement and to comply with Customer’s Processing instructions. |
Purposes of Processing | Performance of the Agreement and provision of Subscription Services and related support services; hosting Customer Content and serving it via application programming interfaces to Customer Applications; and, to the extent Customer elects to use Ninetailed by Contentful, Processing and segmenting Customer Personal Data of Customer’s end users and their interactions with Customer’s applications. |
Competent Supervisory Authority | The competent supervisory authority of the applicable Member State of Customer (the data exporter for purposes of Schedule 3). |
Schedule 2: Technical and organizational measures
For purposes of the Standard Contractual Clauses in Schedule 3, this Schedule 2 serves as Annex II. This Schedule 2 may be replaced by the Contentful security policy by appending or referencing and incorporating such policy herein: https://www.contentful.com/legal/security-standards/de/
Schedule 3 - Standard Contractual Clauses
For data transfers by Customer from the European Economic Area, the United Kingdom or Switzerland to Contentful in a country that does not ensure an adequate level of protection within the meaning of Data Protection Laws, the EU SCCs and/or UK Addendum and/or Swiss Addendum, as applicable, shall govern such transfers.
1. EU SCCs
The EU SCCs will apply to all transfers of Customer Personal Data subject to the GDPR and made to Contentful in a country requiring the application of the EU SCCs and any optional clauses not expressly selected are not incorporated. For the purposes of the EU SCCs:
1.1. Module Two terms will apply in the case of Processing where Customer acts as a Controller and Module Three terms will apply in the case of Processing where Customer acts as a Processor. 1.2. Clause 7 (the docking clause) will apply. 1.3. Clause 9, Option 2 (General written authorization) will apply, and the time period for prior notice of Sub-processor changes will be as set forth in Section 7 (Sub-processors) of this DPA. 1.4. With regard to Clause 17 (Governing law), option 1 will apply and the governing law will be the governing law as set forth in the Agreement. 1.5. With regard to Clause 18 (Choice of forum and jurisdiction), the jurisdiction shall be the jurisdiction as set forth in the Agreement. 1.6. For purposes of Annex I, Part A of the EU SCCs, Schedule 1 of the DPA contains the specifications regarding the Processing and the competent supervisory authority and the following shall apply with respect to the Parties:
Data Exporter: The Customer listed in the DPA
Contact Details: Customer’s account owner email address
Data Exporter Role: Controller for Module Two and Processor for Module Three
Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
Data Importer: Contentful
Contact Details: Contentful Privacy Team - privacy@contentful.com
Data Importer Role: Processor for Module Two and sub-processor for Module Three
Signature & Date: By entering into the DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the DPA.
1.7. For purposes of Annex II, Schedule 2 of the DPA contains the technical and organizational measures. 1.8. The specifications for Annex III are determined by Section 7 of this DPA. The Sub-processors’ contact persons’ names, positions and contact details will be provided by Contentful upon written request.
2. UK Addendum
The UK Addendum will apply to all transfers of Customer Personal Data subject to the UK GDPR or to both the GDPR and UK GDPR and made to Contentful in a country requiring the application of the UK Addendum. For purposes of the UK Addendum:
2.1. Table 1: The Parties are Contentful and Customer, with contact details as set forth in this DPA. 2.2. Table 2: The Approved Standard Contractual Clauses are the EU SCCs as set forth in Section 1 (EU SCCs) of this Schedule 3 to the DPA. 2.3. Table 3: 2.3.1. Annex 1A: as set forth in Section 1.6 of this Schedule 3; 2.3.2. Annex 1B: as set forth in Schedule 1 of this DPA; 2.3.3. Annex II: as set forth in Schedule 2 of this DPA and; 2.3.4. Annex III: as set forth in Section 8 of this DPA. 2.4. Table 4: Either Party may terminate the UK Addendum in accordance with Section 19 of the UK Addendum if the Parties are unable to come to a mutual agreement after a good faith effort to amend this DPA to account for changes arising from a revised Approved Addendum issued by the ICO. 2.5. Part 2 Mandatory Clauses. The Mandatory Clauses of the Approved Addendum, (being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as revised under Section 18 of those Mandatory Clauses) shall apply.
3. Swiss Addendum
For transfers of Customer Personal Data that are subject to the Swiss Federal Act on Data Protection of 25 September 2020 and the Swiss Ordinance of 31 August 2022 on Data Protection (the “Swiss Data Protection Laws”), the EU SCCs form part of this Swiss Addendum, but with the following differences to the extent required by the Swiss Data Protection Laws.
3.1. References to the GDPR in the EU SCCs shall be references to Swiss Data Protection Laws to the extent the data transfers are subject exclusively to Swiss Data Protection Laws and not to the GDPR. 3.2. References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”. 3.3. The “competent supervisory authority” is the Federal Data Protection and Information Commissioner insofar as the transfers are governed by Swiss Data Protection Laws. 3.4. Clause 18 of the EU SCCs is replaced to state: “Any dispute arising from these Clauses relating exclusively to Swiss Data Protection Laws will be resolved by the courts in Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence.”