- Customer's employees and authorized users who use the Services in connection with the business of the Customer.
- Any other individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer's use of the Services.
- Identification information for Customer’s administrator, contact information, such as address, telephone number (fixed and mobile), e-mail address, and fax number, employment information, such as job title and business role.
- Identification information for anyone, including Customers’ employees, who use the Services at the request of and in connection with the business of the Customer, including telephone number (fixed and mobile) and email address.
- Call detail records, including numbers of the calling and the receiving party, start date and time of the call, duration of the call.
- For Services such as RingCentral Contact Center, RingCentral Engage Digital and/or RingCentral Engage Voice, and RingCentral Engage Digital Communities:
- Identification information for end users such as full name, gender, contact information (address, telephone number (fixed and mobile), email address, fax number), employment information (job title) and company name.
- Identification information of Customer's employees or authorized users or other third-party contributors, including name and e-mail address.
- Content published on communication channels connected to the Services, including public information on social media channels connected to the Service.
- Content published on the online sharing space, including any public posts and private messages.
- Any other Customer Personal Data that the Customer, its authorized users or third parties involved in the communications choose in their sole discretion to include in the content of the communications that are sent and received using the Services.
Special Categories of Customer Personal Data
The Services are not designed to recognize and/or classify data as special categories of data or sensitive data (as defined in the GDPR or in other Applicable Data Protection Laws), nor as Personal Data concerning children or minors, or related to criminal convictions and offenses. Insofar as Customer processes special categories of Personal Data, Customer undertakes to process this category of Personal Data lawfully, and in particular to rely on a valid legal basis in accordance with Applicable Data Protection Laws.
RingCentral processes Customer Personal Data for the purposes of providing and maintaining the Services to which the Customer has subscribed, including any ancillary or related Services under the scope of the Agreement, for the purposes of publishing content on public/private communications channels, for customer relationship management, user management, and customer support. RingCentral publishes authorized users’ content onto the public or private communication channels connected to their platform and synchronizes end user content from the same channels. RingCentral stores and displays Customer information and conversations history to the authorized users.
1.1. Agreement shall mean and refer to the main written or electronic agreement between Customer and RingCentral for the provision of any of the RingCentral Services to the Customer.
1.2. CPA shall mean and refer to the Colorado Privacy Act and its implementing regulations.
1.3. CPPA shall mean and refer to the California Privacy Protection Agency, which is vested with the full administrative power, authority, and jurisdiction to implement and enforce the CPRA.
1.4. CPRA shall mean and refer to the California Privacy Rights Act and its implementing regulations.
1.5. Customer Personal Information shall mean and refer to any Personal Information that RingCentral processes on behalf of Customer as a Service Provider under the Agreement.
1.6. CTDPA shall mean and refer to the Connecticut Data Privacy Act and its implementing regulations.
1.7. Personal Information shall mean and refer to any information relating to an identified or identifiable person or individual and also includes personal data, as defined by applicable US State Privacy Laws.
1.8. Sell shall have the same meaning as set forth in the CPRA.
1.9. Service(s) shall mean the service(s) performed by RingCentral under the Agreement.
1.10. Share shall have the same meaning as set forth in the CPRA.
1.11. Service Provider shall mean and refer to a service provider or subcontractor, as defined by applicable US State Privacy Laws, that processes Customer Personal Information on Customer’s behalf or on RingCentral’s behalf, where RingCentral is a Service Provider to Customer, for the purposes of the Agreement.
1.12. US State Privacy Laws shall mean and refer to all United States data protection and privacy laws which may be applicable to RingCentral in the processing of Customer Personal Information as part of the performance of the Services.
1.13. VDCPA shall mean and refer to the Virginia Consumer Data Protection Act and its implementing regulations.
2. Scope of US Privacy Addendum
2.1. This US Privacy Addendum will apply only to the extent that RingCentral processes Customer Personal Information on behalf of a Customer as a Service Provider under US State Privacy Laws, where such processing is described in Annex I of the DPA.
3. Roles and Responsibilities
3.1. RingCentral Obligations
- 3.1.1. Purpose Limitation. RingCentral shall process the Customer Personal Information for the purposes of the performance of the Services as described in the Agreement except where otherwise required or permitted by US State Privacy Law.
- 3.1.2. CPRA. For the purposes of Customer Personal Information subject to the CPRA, RingCentral will:
- 18.104.22.168. Comply with the applicable CPRA obligations.
- 22.214.171.124. Provide the same level of privacy protection as required by CPRA.
- 126.96.36.199. Notify the Customer if it can no longer meet its CPRA obligations.
- 188.8.131.52. Not Sell or Share Customer Personal Information.
- 184.108.40.206. Not retain, use, or disclose Customer Personal Information for any other purpose other than as agreed upon in the Agreement, outside the direct business relationship between the Parties, or as permitted by CPRA.
- 220.127.116.11. Not combine Customer Personal Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, another person, or collects from its own interaction with the End User, subject to the exceptions under CPRA, including that RingCentral may combine Customer Personal Information to perform any business purpose as defined in the CPPA regulations.
- 18.104.22.168. Cooperate with Customer, upon Customer’s reasonable notice, to determine reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.
- 3.1.3. Confidentiality of Processing. RingCentral shall ensure that any person that it authorizes to process the Customer Personal Information shall be subject to a duty of confidentiality (either a contractual or a statutory duty).
- 3.1.4. Security. RingCentral will maintain appropriate technical and organizational security measures to safeguard the security of Customer Personal Information. RingCentral will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Customer Personal Information with administrative, technical and physical measures conforming to generally recognized industry standards and practices. RingCentral’s security measures are set out in the RingCentral Security Addendum at https://netstorage.ringcentral.com/documents/trust-center-security-addendum.pdf.
- 3.1.5. Deletion or Return of Data. Upon termination or expiry of the Agreement, RingCentral shall delete Customer Personal Information (including copies) in RingCentral's possession or, at Customer’s request, provide options to return the Personal Information to the Customer, save to the extent that RingCentral is required by applicable law to retain some or all of the Customer Personal Information.
3.2. Customer Obligations. Customer undertakes to:
3.2.1. Ensure that it may lawfully disclose the Customer Personal Information to RingCentral for the purposes set out in the Agreement.
3.2.2. Comply with US State Privacy Laws in its use of the Services, and its own collection and processing of Customer Personal Information.
3.2.3. Process sensitive Personal Information (as defined by US State Privacy Laws), or Personal Information concerning children or minors, or related to criminal convictions and offenses, lawfully, and relying on a valid legal basis in accordance with US State Privacy Laws. The Parties acknowledge that the Services are not designed to recognize and/or classify such Personal Information and that Customer will be responsible when processing this Personal Information using the Services.
4. Service Providers
- 4.1. Notification. Where required by US State Privacy Laws, RingCentral will notify Customer before it engages another Service Provider. Where required by US State Privacy Laws, RingCentral will allow Customer thirty (30) calendar days to object to such engagement on reasonable grounds relating to the protection of Customer Personal Information.
- 4.2. Agreements. RingCentral shall impose data protection terms on such Service Providers that protect Customer Personal Information to an equivalent standard provided for by this US Privacy Addendum.
- 5.1. RingCentral will select an independent, qualified third-party auditor to conduct, at RingCentral’s expense, at least annual audits of the security of the Services and environments, in accordance with internationally recognized standards such as ISO27001, the SOC 2, Type II standards or its equivalent. Upon Customer request and under Non-Disclosure Agreement, RingCentral will provide a copy of the most recent audit reports (or similar security attestation) to document compliance with the foregoing requirement, where such certification is available. Both Parties acknowledge that it is the Parties' intention ordinarily to rely on the provision of the security reports in this section to verify RingCentral's compliance with this US Privacy Addendum, the VDCPA, CPA, and/or the CTDPA.
- 5.2. Where required by US State Privacy Laws, RingCentral will cooperate with Customer to make available all information in RingCentral’s possession to demonstrate compliance with its obligations in the VDCPA, CPA and/or the CTDPA, as applicable.
- 5.3. Additionally, upon request from Customer, but not more than once during each 12-month period, RingCentral shall complete a Customer provided information security program questionnaire, limited in scope to the actual services/environments related to the Services provided to Customer ("Security Review").
- 5.4. After Customer’s review of RingCentral’s audit report or similar attestation, and of the completed information security questionnaire (including any changes introduced by RingCentral to address any gaps), if, to the extent required by US State Privacy Laws, additional information is reasonably necessary to demonstrate compliance with RingCentral’s obligations pursuant to US State Privacy Laws and this US Privacy Addendum, Customer may request in writing to perform an audit (including inspections) of RingCentral pursuant to the audit request procedure below, no more than once every twelve (12) month period, unless a supervisory authority specifically requires that an audit is carried out of RingCentral.
- 5.5. In order to exercise its right to audit pursuant to this section, Customer must provide RingCentral with a written, detailed request, including the explanation of gaps in RingCentral’s provided audit reports and in the Security Review that render the audit necessary to demonstrate RingCentral’s compliance with this US Privacy Addendum or with US State Privacy Laws.
- 5.6. The audit may be performed by Customer or a third-party auditor (any such third party under strict confidentiality obligations, including requirements that individual auditors appointed have not performed audits of any of RingCentral’s competitors in the previous twelve (12) months and that they will be prohibited from performing such audits in the twelve (12) months following RingCentral’s audit) solely at Customer's expense. RingCentral may object in writing to any third-party auditor if the auditor is, in RingCentral’s reasonable opinion, not suitably qualified or independent, a competitor of RingCentral, or otherwise manifestly unsuitable. Any such objection by RingCentral will require the Customer to appoint another auditor or conduct the audit itself.
- 5.7. RingCentral and Customer will agree in advance upon the scope and timing of the audit, to protect the confidential and proprietary Information of RingCentral and other Parties, to minimize disruption to RingCentral’s business, to limit the scope to the actual services/environments related to the Services provided to Customer, and to agree on a reasonable duration of the audit.
- 5.8. The audit performance will occur during regular business hours for the RingCentral personnel involved and the Parties agree that RingCentral will make available material for Customer’s review, but not for Customer to retain. RingCentral may charge a reasonable fee for costs incurred in connection with any such audit based on RingCentral’s professional services rates, unless the audit shows a material breach on the part of RingCentral. RingCentral will provide the Customer with details of any applicable fee, and the basis of its calculation, in advance of any such audit.
- 5.9. All information provided or made available to Customer pursuant to this section shall be deemed Confidential Information of RingCentral and Customer will not distribute to any third party without RingCentral’s written approval.
6. US Educational Institutions
- 6.1. COPPA. Information about usage of the Services in accordance with COPPA requirements is available on the Children’s Privacy Notice and School/Parental Notification, located at https://www.ringcentral.com/legal/childrens-privacy-notice-school-parental-notification.html, and incorporated by reference. If applicable, Customer hereby agrees to obtain and provide, or cause a School Partner to obtain and provide, verifiable consent to RingCentral’s collection, use, and disclosure of Personal Data in accordance with the Children’s Privacy Notice and School/Parental Notification. If Customer is purchasing RingCentral for Education, pricing tiers are described more fully at https://www.ringcentral.com/office/industry-solutions/education-cloud-phone-systems.html
- 6.2. FERPA. For the purposes of the Agreement, if Customer is an educational agency or institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), RingCentral shall operate as a school official with legitimate educational interests in obtaining or accessing Personally Identifiable Information, including Education Records pertaining to students (as those terms are defined under FERPA). RingCentral shall only use or disclose such Personally Identifiable Information in accordance with the requirements of 34 C.F.R. § 99.33(a) (governing the use and redisclosure of Personally Identifiable Information from Education Records) as is reasonably necessary to provide the MVP Services or for RingCentral to otherwise perform its obligations under the Agreement. Customer acknowledges RingCentral is under its direct control with respect to the use and maintenance of Education Records, and Customer agrees to be solely responsible for protection of Personally Identifiable Information from Educational Records.
- 7.1. Unless the above explicitly states otherwise the terms and conditions of the Agreement, including any DPA, shall apply to the US Privacy Addendum. In case of any conflict between the terms of the Agreement, including any DPA, and the terms of this US Privacy Addendum, the terms of this US Privacy Addendum prevails with regard to data processing activities subject to US State Privacy Laws.
- 7.2. The governing law and forum that apply to the Agreement also apply to this US Privacy Addendum.
- 7.3. Contact information for privacy inquiries: privacy@RingCentral.com.