Effective Date: September 27, 2021
This DPA applies to you if are a Customer that subscribed to WalkMe’s Services on or after September 27, 2021.
If you are a Customer that is subscribing, or has subscribed to WalkMe’s Services prior to September 27, 2021, the DPA available here shall be applicable to you.
THIS DATA PROCESSING AGREEMENT (“DPA”) BETWEEN THE WALKME LEGAL ENTITY SIGNING AN ORDER FORM AND ITS AFFILIATES (COLLECTIVELY, “WALKME”, “COMPANY”, “WE”, “US” or “PROCESSOR”) AND THE INDIVIDUAL OR LEGAL ENTITY LICENSING THE SERVICES UNDER AN APPLICABLE ORDER FORM AND/OR WALKME’S MASTER SAAS AGREEMENT (“THE PRINCIPAL AGREEMENT”) (“CUSTOMER”, “YOU” OR “CONTROLLER”) AND TOGETHER WITH WALKME, THE “PARTIES” GOVERNS CUSTOMER’S ACCESS AND USE OF THE SERVICES.
BY ACCEPTING THIS DPA WHILE EXECUTING AN ORDER FORM AND/OR PRINCIPAL AGREEMENT THAT REFERENCES THIS DPA, CUSTOMER AGREES TO THE TERMS OF THIS DPA. IF YOU ARE ENTERING INTO THIS DPA ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “CUSTOMER” “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS DPA AND SHALL NOT BE PERMITTED TO USE THE SERVICES.
BY ACCEPTING THE TERMS OF THIS DPA YOU REPRESENT AND WARRANT THAT ANY AND ALL INFORMATION PROVIDED TO US THROUGH THE SERVICE IS TRUE, ACCURATE AND COMPLETE. THE PROVISION OF FALSE OR FRAUDULENT INFORMATION IS STRICTLY PROHIBITED.
Background and undertakings:
a. Controller and WalkMe have entered into the Principal Agreement under which WalkMe agreed to provide certain SaaS and professional services (the “Service”) pursuant to the Principal Agreement to the Controller and/or its Affiliates. In rendering the Service, WalkMe may from time to time be provided with, or have access to, information of the Controller which may qualify as Personal Data (as defined below) which is subject to Applicable Data Protection Legislation.
b. Subject to the terms of this DPA, WalkMe shall process Controller‘s data as a processor for the provision of the Service under the Principal Agreement and as further described in Annex 1.
c. The Parties agree that the terms and conditions set out below, are an addendum to the Principal Agreement.
Now therefore, and in order to enable the Parties to comply with the Applicable Data Protection Legislation (as defined below), the Parties have entered into this DPA as follows:
- Definitions
In this DPA the following terms have the following meanings, terms not otherwise defined herein shall have the same meaning as in the Principal Agreement:
“Affiliate/s” means any legal entity directly or indirectly controlling, controlled by or under common control with a party to the Principal Agreement, where “control” means the ownership of a majority share of the voting stock, equity, or voting interests of such entity;
“Applicable Data Protection Legislation” means all applicable laws and regulations, subject to the processing of Controller Data under this DPA, including without limitation (as applicable), (i) the General Data Protection Regulation (EU) 2016/679 (the “GDPR”); (ii) the UK Data Protection Act (“UK DPA”) and the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, (ii) the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337), and any related regulations or guidance provided by the California Attorney General (together, the “CCPA”);
“Controller Data” means any Personal Data processed by Processor on behalf of Controller, pursuant to or in connection with the Principal Agreement;
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, Module 2 (Controller to Processor) of the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021; and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the UK, in each case as amended, updated or replaced from time to time;
“Data Processing Agreement or DPA” means this DPA and all appendices attached hereto (as amended from time to time in accordance herewith);
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or as otherwise referred to as “personal information”, “personally identifiable information” or similar term defined in the Applicable Data Protection Legislation;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Data processed, transmitted, stored or otherwise processed;
“Processor to Processor Clauses” means, as relevant, Module 3 (Processor to Processor) of the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, or any equivalent clauses issued by the relevant competent authority of the UK in respect of transfers of Personal Data from the UK, in each case as in force and as amended, updated or replaced from time to time;
“Sub-processor/s” means a Processor engaged by WalkMe to carry out Processing in respect of Controller Data on behalf of the Controller;
“Third-Country” means (i) in relation to Personal Data transfers subject to the GDPR, any country outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers subject to the UK GDPR, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
The terms recognized by the GDPR, such as “Controller”, “Data Subject”, “Process”, “Processor” “Processing”, “Supervisory Authority” shall have the meanings set out therein even if such terms are not capitalized in this DPA.
- Processing of Controller Data
1.1 Each Party shall comply with the Applicable Data Protection Legislation at all times.1.2 The Processor shall solely process the Controller Data to the extent necessary to provide the Service to the Controller.
1.3 The Processor agrees to only process Controller Data, in accordance with Controller’s documented instructions under this DPA, the Principal Agreement, the Order Form and in accordance with the Applicable Data Protection Legislation.
1.4 Controller warrants and represents that it is, and will, at all relevant times remain duly and effectively authorized to give instructions. Controller shall have sole responsibility for the accuracy, quality and legality of Controller Data and how Controller acquired Controller Data. This DPA, the instructions, the Principal Agreement and the Order Form are Controller’s complete and final instructions to Processor for the Processing of Controller Data. Any additional or alternate instructions must be agreed upon separately in writing between authorized representatives of both Parties.
1.5 The Processor shall immediately notify Controller if the Processor cannot fulfil its obligations under this DPA or if the Processor is of the view that an instruction regarding the processing of Controller Data given by Controller would be in breach of Applicable Data Protection Legislation, unless the Processor is prohibited from notifying Controller under applicable Data Protection Legislation.
1.6 The Processor shall immediately notify Controller in writing if the Supervisory Authority requests access to Controller Data which the Processor processes on behalf of Controller, unless prohibited from doing so by the Supervisory Authority.1.7 The Parties acknowledge and agree that WalkMe may qualify as a “Service Provider” as defined in the CCPA Final Regulations at Section 999.314 (a “Service Provider”). When WalkMe acts as a Service Provider, Customer discloses Personal Information to WalkMe solely for a valid “business purpose” (as defined in the CCPA) (a “Business Purpose”) and for WalkMe to perform the Service, and WalkMe will only collect, use, retain, or disclose “Personal Information” (as defined in the CCPA) received from the Controller (such information, “Personal Information”) for the Business Purpose for which Controller provides or permits Personal Information access. WalkMe will not collect, use, retain, disclose, sell, or otherwise make Personal Information except for internal use to build or improve the quality of its services, or in a way that fully complies with CCPA, including the final implementing Regulations. WalkMe will limit its collection, retention, use, and disclosure of Personal Information to activities reasonably necessary and proportionate to provide the Service under this DPA and the Principal Agreement. Both Parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing Personal Information.
- Security Measures
2.1 The Processor shall implement appropriate technical and organizational measures to protect and safeguard the Controller Data that is processed, against Personal Data Breaches.2.2 Processor will maintain its security controls and audits, pursuant to, amongst others, ISO 27001, SOC 2 type II and ISO27799 Security management in health as detailed at: https://www.walkme.com/walkme-security/or otherwise made reasonably available by the Processor. Processor regularly monitors compliance with these safeguards. Processor will not materially decrease the overall security of the Service during the term of the Principal Agreement.
- Personnel; Confidentiality
3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Data (“Personnel”), ensuring in each case that access is strictly limited to Personnel who need to know/access the relevant Controller Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with the Applicable Data Protection Laws in the context of such Personnel’s duties to the Processor.3.2 The Processor will impose appropriate contractual obligations upon its Personnel Processing Controller Data, including relevant obligations regarding confidentiality, data protection and data security. Processor shall ensure that Personnel engaged are informed of the confidential nature of Controller Data and have received appropriate training with respect to their responsibilities.
3.3 The Processor has appointed a Data Protection Officer where such appointment is required by Applicable Data Protection legislation. The appointed person can be reached at [email protected]
- Sub-processors
4.1 Controller hereby grants the Processor a general written authorization to engage Sub-processors set out https://www.walkme.com/walkme-sub-processors/ (“Sub-processor Portal”).4.2 Controller may sign up to notifications of changes to the Sub-Processors through the Sub-processor Portal.
4.3 Processor shall give Controller at least 30 days’ prior notice of the appointment of any new Sub-processor or the replacement of an existing Sub-processor, including relevant details of the processing activities to be performed by such Sub-processor, by updating the Sub-processor Portal and providing Controller with a notification of such change through the mechanism on the Sub-processor Portal and via email.
4.3.1 If, within seven (7) days of receipt of such notice Controller notifies Processor in writing of any reasonable objection to the appointment with respect to the protection of Controller Data (“Controller Notice”), Processor shall postpone the appointment until reasonable steps have been taken to address Controller’s objection, which may be achieved by way of, amongst others: (i) offering an alternative to provide the Service without using such Sub-processor; (ii) Processor may cease to provide, or Controller may agree, not to use that specific part of the Service involving such Sub-processor; or (iii) take commercially reasonable supplementary measures in cooperation with Controller. Objection Notices should be sent to [email protected]
4.3.2 Where such steps are not reasonably sufficient or available to relieve Controller’s objection and no alternative mutually agreeable solution could be reached within thirty (30) days upon receipt of the Controller Notice, to the extent that it relates to the Service which require the use of such Sub-processor, either Party may, by written notice to the other party, terminate the applicable Order Form and/or Principal Agreement, for which Processor may – in its sole discretion – provide a refund of the pro-rata portion of any unused, prepaid Fees under the applicable Order Form (calculated from the balance period between termination date and the original term of the Order Form).
4.3.3 If the Controller does not provide a timely Controller Notice, the Sub-processors shall be deemed approved, and Processor may commence using such Sub-processor.
4.4 Where a Sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to Controller for the performance of the Sub-processor’s obligations.
4.5 With respect to each Sub-processor prior to its appointment (i) Processor shall carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Controller Data required by the Principal Agreement and this DPA; and (ii) ensure that the arrangement between the Processor and the Sub-processor is governed by a written contract that substantially meets the same obligations under this DPA.
- Affiliates
5.1 Some of Processor’s obligations may be performed by Processor’s Affiliates, as detailed on the Sub-processor’s Portal. Controller acknowledges that Processor’s Affiliates may Process Controller Data on Processor’s behalf to perform the Service under the Principal Agreement.5.2 Processor will be liable for the acts and omissions of its Affiliates to the same extent Processor would be liable if performing the Service under the Principal Agreement.
5.3 Controller hereby consents to Processor’s use of Processor’s Affiliates in the performance of the Service in accordance with the terms of this Section 5.
- Personal Data Breach
6.1 In the event of a Personal Data Breach, the Processor shall notify Controller of such Personal Data Breach without undue delay and at the latest within 48 hours after becoming aware of the Personal Data Breach.6.2 The Processor shall promptly after becoming aware of a Personal Data Breach:
a. Commence an investigation of the Personal Data Breach in order to determine the scope, nature and the likely consequences of the Personal Data Breach;
b. Take appropriate remedial measures in order to mitigate the possible adverse effects of the Personal Data Breach and minimize damage resulting therefrom.
6.3 Processor shall promptly provide Controller with such details relating to the Personal Data Breach as Controller reasonably requires complying with its obligations under the Applicable Data Protection Legislation.
6.4 The obligations in this Section 6 shall not apply to incidents that are caused by Controller or Controller’s End Users (as defined in the Principal Agreement).
- Rights of Data Subjects
7.1 Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of processing, erasure, data portability, or to object to processing, each a “Data Subject Request”. Processor will not respond to any such requests unless authorized to do so by Controller or as required under Applicable Data Protection Legislation or under the instructions of a Supervisory Authority.7.2 Subject to Clause 7.3, the Processor shall provide commercial reasonable assistance to Controller by taking appropriate technical and organisational measures for the fulfilment of Controller’s obligation to respond to requests for exercising the Data Subjects’ rights as laid down by Applicable Data Protection Legislation. Unless prohibited under the Applicable Data Protection Legislation, Controller will reimburse Processor with any costs and expenses related to Processor’s provision of such assistance.
7.3 Controller will provide Processor with the specific identification information (e.g. IP address and time of uploading the information to the Processor’s servers) in order for Processor to assist the Controller in responding to a Data Subject Request.
- Audits
8.1 Processor shall make available to Controller, upon prior written request, all relevant information necessary to reasonably demonstrate compliance with its obligations detailed in this DPA.8.2 Processor shall allow for and contribute to audits, including inspections on its premises, which in no event will be conducted more than once in each calendar year (except following a Personal Data Breach) and during regular business hours. The audit may be conducted by Controller or a third-party auditor mandated by Controller, provided that such third-party auditor shall be subject to sufficient confidentiality obligations. Controller shall give Processor at least 14 days notice prior to exercising its audit rights.
8.3 Each Party shall bear its own costs in relation to such audit. However, where Controller has mandated a third-party auditor to carry out the audit on its behalf, Controller shall bear the costs for such third-party auditor.
- Data Impact Assessments; Consultations
The Processor shall, upon Controller’s request, provide necessary information in order to allow Controller to fulfil its obligations to, where applicable, carry out data protection impact assessments (“DPIAs”) and prior consultations with the relevant Supervisory Authority under Applicable Data Protection Legislation in relation to the processing of Controller Data covered by this DPA.
- Documentation
Processor shall maintain complete, accurate and up-to-date documentation of its processing activities and measures taken hereunder, as required under the Applicable Data Protection Legislation, which Processor shall make available to Controller upon Controller’s written request.
- Transfers
11.1 To the extent Processor processes Controller Data in a Third Country, and it is acting as a data importer, Processor shall comply with the data importer’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this DPA; the Controller shall comply with the data exporter’s obligations in such Controller to Processor Clauses.(i) for the purposes of Appendix 1 or Annex I (as relevant) of such Controller to Processor Clauses, the parties and processing details set out in Annex 1 (Processing Details) shall apply;
(ii) for the purposes of Appendix 2 or Annex II (as relevant) of such Controller to Processor Clauses, the technical and organisational security measures set out in Clause 2 of this DPA shall apply; and
(iii) if applicable, for the purposes of: (i) Clause 9 of such Controller to Processor Clauses, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Clause 6.2 shall apply; (ii) Clause 11(a) of such Controller to Processor Clauses, the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be Dutch Data Protection Authority (Authoriteit Persoonsgegevens); (iv) Clause 17, Option 1 is deemed to be selected and the governing law shall be Dutch law; and (v) Clause 18, the competent courts shall be in the Netherlands.
11.2 The Controller acknowledges and agrees that Processor may appoint an Affiliate or Sub-processor to Process the Controller Data in a Third Country, in which case:
(i) the Data Processor shall execute the Processor to Processor Clauses, if applicable and available, with any relevant Sub-processor (including affiliates) it appoints on behalf of the Controller; and/or
(ii) if the Processor to Processor Clauses are not applicable and available, the Controller grants Data Processor a mandate to execute the relevant Standard Contractual Clauses, with any relevant Sub-processor (including affiliates).
- Deletion; Return
Processor shall promptly, and in any event within 90 days of termination of the Principal Agreement or upon Controller’s request, delete or return all copies of Controller Data, except where such copies are required to be retained in accordance with the Applicable Data Protection Legislation and provided that Processor shall ensure the confidentiality of all such Controller Data. Upon prior written request of Controller, Processor shall provide written documentation that is has complied with its obligation herein.
- General Terms
12.1 The Parties this DPA agree to negotiate in good faith modifications to this DPA if changes are required for Processor to continue to process the Controller Data as contemplated by this DPA in compliance with the Applicable Data Protection Legislation or to address the legal interpretation of the Applicable Data Protection Legislation, including(i) to comply with any guidance on the interpretation of any of the respective provisions of the Applicable Data Protection Legislation;
(ii) the Standard Contractual Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or
(iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
12.2 The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
12.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either
(i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible,
(ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.4 Amendments and additions to this DPA shall be in writing and duly signed by the Parties to be valid.
Annex 1 – Details of Processing
This Annex 1 includes details of the Processing of Controller Data as required by Article 28(3) GDPR.
- Subject matter and duration of the Processing of Controller Data
The subject matter and duration of the Processing of the Controller Data are set out in the Principal Agreement and this Annex.
- The nature and purpose of the Processing of Controller Data
Processor has developed, and owns a Software as a Service (SaaS) digital adoption platforms solutions that provide guidance and engagement tools, analytics and automation for web, mobile and desktop applications, simplifying and improving End Users’ experience, and increasing user engagement (“Service” – as further defined in the Principal Agreement).The Controller Data is collected by Processor when an End User or Authorized Representative (as defined below) uses the Service.The Controller Data is processed for the purpose of providing the Service, the ongoing operation thereof, and/or for security purposes.
- The types of Controller Data to be Processed
3.1 End-Users’ IP addresses, Web Application data (page title, URL) and Location information (country and city).In the event that Controller requests in writing to use special features of the Service (such special features may include but are not limited to Digital Analytics Experience and Sessions Recordings, and vary depending on the specific feature selected by Controller) – Processor may collect and/or process additional personal information as detailed here: https://www.walkme.com/special-features/.3.2 Email addresses and log-in credentials of authorized Controller personnel (“Authorized Representatives”) inherent for the provision of the Service, for the purpose of creating Outputs (as defined in the Principal Agreement) and of those End Users which contact Processor in connection with the provision of technical support for the Service.
- The categories of Data Subject to whom the Controller Data relates
Data subjects are the End-Users of the Service and Authorized Representatives of the Controller.
- The obligations and rights of Controller
The obligations and rights of Controller are set out in this DPA, the Principal Agreement and this Annex.
- Retention Periods
Processor will retain Controller Data it processes hereunder only for as long as required to provide the Service pursuant to the Principal Agreement.Unless otherwise agreed in writing by the Parties, after a request from the Controller to delete any Controller Data or upon termination or expiration of the Principal Agreement, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below. Once initiated, this process cannot be reversed, and data will be permanently deleted.
Type | Timeline for Deletion (after deletion process begins) for Cancellation, Termination or Migration |
Backups | 30 days |
Logs | 60 days |
Access Logs | 2 years |
Data in Analytics Platform | 90 days |
Communications regarding requests for data deletion and exercise of individual rights | At least 24 months |