Last Updated: November 13, 2020
EU-1. APPLICABILITY OF EU SUPPLEMENT; SERVICE PROVIDER ENTITY. The provisions of this United Kingdom and Europe Supplement to 8x8 CPaaS Regional Terms (this “EU Supplement”) (a) are a supplement to, and part of, the Regional Terms and (b) shall apply solely with respect to Ordered CPaaS Services and other services and products ordered or provided under the Agreement (collectively, “Ordered Products”) provided to a Customer Location in the United Kingdom (the “UK”) or Europe. The relevant 8x8 company that provides Ordered Products, if any, to Customer in the UK and/or Europe, and to which this EU Supplement relates, is: 8x8 UK Limited (trading as 8x8), registered in England with company number: 05083841 (Oxford House, Bell Business Park, Smeaton Close, Aylesbury, Buckinghamshire HP19 8JR), as per the relevant Order. References to 8x8 within this EU Supplement shall be references to 8x8 UK Limited. As among 8x8, Inc., 8x8 UK Limited, and 8x8, Inc.’s other Affiliates, 8x8 UK Limited shall be solely liable with respect to such Ordered Products and under the related Orders (to the extent that they relate to such Ordered Products).
EU-2. CUSTOMER SUPPORT. The 8x8 CPaaS Service Terms describe the support provided to Customer. Customer may contact customer support on firstname.lastname@example.org (or by calling 8x8’s main line number +44 (0)02070966060 and stating clearly that Customer requires support), or such other address as may be notified by 8x8 from time to time, for further details.
EU-3. B2B CONTRACT; LIST PRICING. Customer confirms it receives Ordered Products as a business user, and the Agreement represents a business-to-business contract. All relevant current list pricing is available at www.8x8.com/uk.
EU-4. DATA PROTECTION AND SECURITY.
EU-4.1. Data Protection Appendix. The Data Protection Appendix attached to this EU Supplement (the “DPA”) contains the following information about the Ordered CPaaS Services: (a) subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, and the categories of data subjects and (b) the obligations and rights of the controller. The DPA also includes the security measures that 8x8 has in place to protect Customer Personal Data. To the extent that Customer has purchased particular CPaaS Services, the relevant terms for such particular CPaaS Services set out in the DPA shall apply, and such terms shall be made a part of this EU Supplement and incorporated herein by reference. 8x8 may update the DPA from time to time in its discretion to reflect the addition, removal, or discontinuation of services or other products and/or changes to the security measures set forth in Part B (Security Measures) of the DPA that do not have a material adverse effect on the use of the CPaaS Services.
EU-4.2. Relationship of the Parties. Customer is the controller of Customer Personal Data. 8x8 acts as a controller of 8x8 Personal Data and a processor of Customer Personal Data under the Agreement.
EU-4.3. 8x8 as a Controller. Where 8x8 acts as a controller, it will process Personal Data in accordance with Applicable Data Protection Law. Further information about how 8x8 processes Personal Data may be found in 8x8’s Privacy Notice (available at https://www.8x8.com/terms-and-conditions/privacy-policy).
EU-4.3.1. 8x8 shall maintain appropriate technical and organisational security measures to protect Personal Data against a Personal Data Breach.
EU-4.3.2. Customer warrants that it has obtained all necessary consents, notifications, and permissions required under Applicable Data Protection Law to permit Customer to share such Personal Data with 8x8 and allow 8x8 to otherwise collect, use, or process such Personal Data (including without limitation that which 8x8 might collect directly from Users or any other end users via cookies or other means) as described in the Agreement; in order to provide the Ordered Products or to otherwise fulfil 8x8’s obligations under the Agreement; as otherwise set out in the DPA or 8x8’s Privacy Notice; or as otherwise agreed by the Parties in writing (collectively, the “Permitted Purposes”). As between Customer and 8x8, Customer is solely responsible for disclosing to Users and other end users that 8x8 is processing Personal Data for the Permitted Purposes and for notifying or otherwise directing such Users and end users to 8x8’s Privacy Notice.
EU-4.3.3. Customer shall notify 8x8 of: (i) any limitations in Customer’s privacy notice to data subjects, (ii) any changes in, or revocation of, consent by a data subject to use or disclose Personal Data, and/or (iii) any restrictions on the use of Personal Data to which Customer has agreed in accordance with its agreements with data subjects; in each case, to the extent that such limitations, changes, or restrictions may affect 8x8’s uses or disclosures of Personal Data.
EU-4.3.4. The Parties shall not act as joint controllers for the purposes of Article 26 of the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) in relation to any processing of Personal Data under the Agreement.
EU-4.4. 8x8 as a Processor. Customer (the controller) appoints 8x8 as a processor to process the Customer Personal Data for the Permitted Purposes. Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law.
EU-4.4.1. 8x8 shall process Customer Personal Data in accordance with Customer’s instructions, which Customer acknowledges and agrees are set out in the Agreement.
EU-4.4.2. International Transfers. 8x8 shall not process or transfer Customer Personal Data originating from the European Economic Area (“EEA”) outside of the EEA unless 8x8 has taken such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Data Protection Law. Such measures may include without limitation transferring Customer Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
EU-4.4.3. Confidentiality of Processing. Subject to any exclusion or limitation of liability provided for in the Agreement, 8x8 shall ensure that any person it authorises to process Customer Personal Data (an “Authorised Person”) shall disclose Customer Personal Data only (a) to 8x8, (b) to those of 8x8’s personnel, advisors, Affiliates, or Partners to which such disclosure is reasonably necessary to accomplish a Permitted Purpose or other purpose for it was disclosed to 8x8 and which are bound to reasonable confidentiality obligations with respect to such Customer Personal Data, (c) in response to a judicial order or other lawful process, or (d) as approved or instructed by Customer.
EU-4.4.4. Security as a Processor. 8x8 shall implement technical and organisational measures as set out in the DPA to protect Customer Personal Data from loss, alteration, or unauthorised disclosure or access (each a “Security Incident”) or accidental or unlawful destruction.
EU-4.4.5. Subcontracting. Customer consents to 8x8’s engagement of third-party subprocessors to process Customer Personal Data for the Permitted Purposes, provided that: (a) 8x8 maintain an up-to-date list of its subprocessors on its website, (b) 8x8 impose on such subprocessors data protection terms with respect to Customer Personal Data that are no less onerous than those set out in this Section EU-4.4 (8x8 as a Processor), and (c) 8x8 remain liable for any breach of this Section EU-4.4 (8x8 as a Processor) that is caused by an act, error, or omission of such a subprocessor in connection with performing its obligations as such a processor. No change to such list shall be effective until ten (10) days (or such longer period specified by 8x8) after 8x8’s posting of the details, or 8x8’s other notification of Customer, of the new engagement. 8x8 will be considered to have materially breached the Agreement for purposes of Customer’s right thereunder to terminate such Agreement for 8x8’s material breach thereof in the event that (i) Customer objects (via notice to 8x8) to such new engagement on reasonable grounds relating to data protection within such advance posting/notification period, (ii) 8x8’s cancellation of such engagement is reasonably practicable, and (iii) 8x8 nevertheless declines to cancel such engagement.
EU-4.4.6. Cooperation and Data Subjects’ Rights. 8x8 shall, at Customer’s sole expense, provide reasonable and timely assistance to Customer to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any other correspondence, enquiry, or complaint received from a data subject, regulator, or other third party in connection with the processing of Customer Personal Data. In the event that any such request, correspondence, enquiry, or complaint is made directly to 8x8, 8x8 shall, at Customer’s sole expense, promptly inform Customer of, and provide reasonable details as to, the same.
EU-4.4.7. Data Protection Impact Assessment. If 8x8 believes or becomes aware that its processing of Customer Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, 8x8 shall inform Customer and, at Customer’s sole expense, provide reasonable cooperation in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
EU-4.4.8. Security Incidents. If 8x8 becomes aware of a confirmed Security Incident, it shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can timely fulfil any data breach reporting obligations that Customer might have under Applicable Data Protection Law. 8x8 shall further take measures and actions reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection therewith. Customer acknowledges that such assistance or other actions by 8x8 shall be at Customer’s own cost, unless the Security Incident occurred as a direct result of 8x8’s breach of its obligations under Section EU-4.4.4 (Security as a Processor).
EU-4.4.9. Deletion or Return of Data. Upon termination or expiration of the Agreement, and without prejudice to the other provisions of the Agreement that contemplate data storage, 8x8 shall, at Customer’s election and cost, destroy or return to Customer all Customer Personal Data in 8x8’s possession or control. The foregoing requirement shall not apply to the extent that 8x8 is required by applicable law to retain some or all of the Customer Personal Data, or to retain Customer Personal Data that 8x8 has archived on back-up systems, which Customer Personal Data 8x8 shall securely isolate and protect from any further processing not required or permitted by such law.
EU-4.4.10. Audit. Customer acknowledges that 8x8 is regularly audited against ISO 27001, ISO 9001, and Cyber Essentials (or substantially equivalent) standards by independent third-party auditors. Upon Customer’s reasonable request, 8x8 shall supply a summary copy of its audit report(s) to Customer, provided that Customer shall (a) keep such reports confidential and not disclose them to any party other than those of its own personnel and advisors to whom such disclosure is necessary in connection with Customer’s reasonable compliance and data security efforts and whom are bound to reasonable confidentiality obligations with respect to such report(s), (b) not use such report(s) except in connection with such efforts, and (c) protect their confidentiality with the same degree of care as Customer uses to protect its own confidential information of like kind, but in no event less than reasonable care.
EU-4.5. Processing – Third-Party Services. Where Customer uses third-party services, or has otherwise requested that third-party services be made available, as part of the Ordered Products, Customer agrees that any processing of Personal Data that relates to such third-party services shall be carried out by the third party directly and that 8x8 shall have no liability or responsibilities in relation to such processing. Any and all terms governing such processing shall be as set out in a separate agreement between Customer and the third party.
EU-4.6. Liability. Customer acknowledges that 8x8 relies on Customer for direction as to the extent to which 8x8 is entitled to use and process the Customer Personal Data. Consequently, 8x8 will shall not be liable for any Claim brought by a data subject in relation to Customer Personal Data not arising from:
EU-4.6.1. Any failure by 8x8 to comply with its obligations under Section 4.4.4 (Security as a Processor); or
EU-4.6.2. 8x8 acting outside of, or contrary to, the lawful instructions provided by Customer under the Agreement or the relevant regulator to 8x8.
EU-4.7. Definitions. For purposes of this Section EU-4 (Data Protection and Security), the following terms will have the following meanings:
- ”8x8 Personal Data” means the Personal Data for which 8x8 determines the purposes and means of processing and, for the avoidance of doubt, excludes Customer Personal Data.
- “Applicable Data Protection Law” means all applicable binding laws and regulations which apply to the Parties in relation to the processing of personal data and an individual's privacy rights under the Agreement.
- “controller”, “processor”, “data subject”, “Personal Data Breach”, and “processing” (and “process”) have the meanings given to them in Applicable Data Protection Law.
- “Customer Personal Data” means only that proportion of the Personal Data for which Customer decides the purposes and means of processing and which is processed by 8x8 to provide the Ordered CPaaS Services or other services ordered under the Agreement (the “Ordered Services”) in accordance with Customer’s instructions
- “Personal Data” has the meaning given in Applicable Data Protection Law.
EU-5. PAYMENT AND DISPUTE RESOLUTION FOR SPANISH CUSTOMERS. Spanish Customers with Ordered CPaaS Services provided to a Customer Location in Spain are entitled to request that payments are made by means other than direct debit, if such other means are generally market-accepted.
EU-6. EXPRESS CONSENT. Pursuant to articles 1341 and 1342 of Italian Civil Code, by entering into the Agreement, Customer expressly agrees and approves of (a) the following Sections of the 8x8 CPaaS Service Terms: 6.1 (Payment of Billed Amounts), 8 (General Representations and Warranties; Warranty Disclaimer), 10 (Suspension and Restriction), 11 (Term of Agreement), 12 (Indemnification), 13 (Exclusions and Limitations of Liability), 14 (Dispute Resolution), 15.2. (Governing Law; Jurisdiction), and 15.3. (Force Majeure) and (b) any provision of a Service Module related to limitations, suspension, or restriction of services, products, or offerings; third-party offerings and/or integrations; billing or payment of amounts; any representation, warranty, or disclaimer; term, termination, or renewal of a Service Module or the Agreement; any subscription commitment, term commitment, or commitment related to any lease or similar arrangement; indemnification; exclusions or limitations of liability; governing law and/or jurisdiction; or force majeure events.
Data Protection Appendix
Part A – Processing Details – Customer Personal Data
The following terms shall apply to the processing activities that 8x8 carries out as a processor under the Agreement in respect of the Ordered CPaaS Services.
|8x8 CPaaS Services|
|Subject-matter||8x8 provides communications-platform-as-a-service (CPaaS) services, enabling its customers to add communications services to their applications and websites through 8x8’s CPaaS APIs and incorporate SMS, chat, video interaction, and voice communications into their applications or websites to allow communication between and among their users or other end users.|
|Duration of processing||The Effective Period|
|Nature/purpose of processing||Provision of such Ordered CPaaS Services, as set out in the Agreement. Users and other end users may transmit, receive, and/or store through such Ordered CPaaS Services audio, textual, visual, and video content in the form of voice calls, video calls, voice and video recordings, SMS, chat, and other messages, device screen shares or captures, and photo shares or captures. They may also record and/or store within such Ordered CPaaS Services information (such as profiles for individual contacts or notes regarding a call or support case or ticket) regarding the third parties with or about whom they communicate through such Ordered CPaaS Services.|
|Type of Personal Data||Name and contact details; Personal Data regarding communications activity and preferences and usages of such Ordered CPaaS Services; IP addresses; location data/IP addresses accessing such Ordered CPaaS Services; SMS or chat message content; any Personal Data voluntarily disclosed by the user or third party with whom Users and other end users communicates.|
|Categories of data subjects||Users and other end users of such Ordered CPaaS Services; those with whom such Users and other end users communicate, record, or store information through such Ordered CPaaS Services.|
|Obligations/rights of controller||As set out in the Agreement|
Part B – Security Measures
The following terms shall apply to any Customer Personal Data that 8x8 processes to provide Ordered Services.
Administrative, physical, and technical safeguards implemented in accordance with 8x8’s existing data security program, which includes:
- (i) limiting access to information on 8x8’s information system media to authorized users;
- (ii) limiting physical access to 8x8’s information systems and related equipment to authorized individuals;
- (iii) regular assessments of information security risks to 8x8’s information systems and associated information processing activities and of the effectiveness of information security controls in 8x8’s information systems;
- (iv) training of 8x8’s managers and users of 8x8’s information systems regarding the information security risks associated with their activities and applicable laws and policies; and
- (v) imposition of formal sanctions for 8x8 personnel failing to comply with 8x8’s information security policies and procedures.