- (a) "Affiliate" means a person or entity that is controlled by a Party hereto, controls a Party hereto, or is under common control with a Party hereto, and “control” means beneficial ownership of greater than fifty percent (50%) of an entity’s then-outstanding voting securities or ownership interests.
- (b) "Agreement" means the main written or electronic agreement between Customer and RingCentral for the provision of any of the RingCentral Services.
- (c) "Applicable Data Protection Laws" means all data protection and privacy laws (including the GDPR) applicable to RingCentral in the processing of Personal Data under this DPA.
- (d) "Controller" shall have the same meaning under Applicable Data Protection Law.
- (e) "Customer Personal Data" means any Personal Data that RingCentral processes as a Processor under the Agreement.(f) GDPR" means (i) the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (ii) any Applicable Data Protection Laws implemented by European Union member states, (iii) the UK Data Protection Act (DPA 2018), as amended, and the GDPR as incorporated into UK law as the UK GDPR, and (iv) the Swiss Federal Acts on Data Protection (the “FADP”); all as amended from time to time.
- (g) "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law.
- (h) “Processor” shall have the same meaning under Applicable Data Protection Law.
- (i) "Security Incident" means a breach of security leading to any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Personal Data that compromises the privacy, security, or confidentiality of such Personal Data.(j) “Services” means the RingCentral services as described in Annex I.
- 4.1 Applicability. This Section 4 shall apply to the processing of Customer Personal Data that is subject to the protection of the GDPR.
- 4.2 Subprocessors. Customer agrees that RingCentral and its Affiliates may engage RingCentral Affiliates and third- party subprocessors (collectively, "Subprocessors") to process the Personal Data on RingCentral's behalf. Depending on the scope and the nature of the subprocessing, RingCentral shall impose data protection terms on such Subprocessors that protect Customer Personal Data to an equivalent standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Subprocessor. The Subprocessors engaged by RingCentral in respect of each of the Services at the time of the Agreement are noted on the RingCentral Subprocessor list available at https://www.ringcentral.com/legal/dpa-subprocessor-list.html, or are otherwise specified in the Agreement.
- 4.3 Subprocessor Notification. RingCentral may, by giving reasonable notice to the Customer, add or replace the Subprocessors. If the Customer objects to the appointment of an additional Subprocessor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of the Customer Personal Data, then the Parties will discuss such concerns with a view to achieving resolution. If such resolution cannot be reached, then RingCentral will either not appoint the Subprocessor or, if this is not possible, Customer will be entitled to suspend or terminate the affected RingCentral Service without penalty with a thirty (30) day written notice to RingCentral. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a RingCentral Subprocessor failure) that can provoke a degradation or interruption of the Service, RingCentral reserves the right to immediately change the failing Subprocessor in order to maintain or restore the standard conditions of the Service. In this situation, the notification of Subprocessor change may be exceptionally sent after the change.
- 4.4 Data Protection Impact Assessments. RingCentral shall, to the extent required by the GDPR, and upon Customer's request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under GDPR in relation to the scope of the Services provided to Customer under the Agreement.
- 4.5 International Transfers. RingCentral may transfer and process Customer Personal Data outside the European Economic Area (“EEA”), Switzerland, or the United Kingdom, in accordance with the applicable Subprocessor list, to locations where RingCentral, its Affiliates or its Subprocessors maintain data processing operations.
- (a) Data Privacy Framework. RingCentral complies with and has certified to the U.S. Department of Commerce its adherence to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). RingCentral’s Notice of Certification applies to the Services.
- (b) Standard Contractual Clauses. To the extent that RingCentral processes (or causes to be processed) any Customer Personal Data originating from the EEA, Switzerland, or the United Kingdom in a country that has not been recognized by the European Commission as providing an adequate level of protection for Customer Personal Data, and that the Data Privacy Framework as described above does not apply, RingCentral will put in place such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws, which include the execution of the applicable EU Commission's Standard Contractual Clauses, and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the putting in place of any other valid transfer mechanism.
- 4.6 Data Disclosure Requests. If RingCentral receives a request from a law enforcement or other government authority to disclose Personal Data that RingCentral is processing on the Customer's behalf, RingCentral will notify and provide the Customer with the details of the data disclosure request prior to disclosing any Personal Data, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
- 5. Miscellaneous
- 5.1 Unless the above explicitly states otherwise the terms and conditions of the Agreement shall apply to the DPA. In case of any conflict between the terms of the Agreement, any security related terms included in the DPA or the Agreement, and the terms of this DPA, the terms of this DPA prevail with regard to Personal Data processing activities.
- 5.2 The governing law and forum that apply to the Agreement also apply to this DPA.5.3 Contact information for privacy inquiries: privacy@RingCentral.com.5.4 The Annexes attached to the DPA are :- Annex 1 - Description of the Processing- (If applicable) Annex 2 - RingCentral Customer United States Privacy Addendum
- 1. Cloud-based communications and collaboration services for high-definition voice, video, SMS, chat messaging and collaboration, conferencing, online meetings, and fax;
- 2. Customer contact centre services and an omni-channel customer communication management platform that unifies all customer-facing communication channels, including voice, email, SMS, website, mobile app, chat and social media communications, onto a single platform, enabling community responses to customer service inquiries;
- 3. Virtual events and presentation services;
- 4. Professional services;5. Any other Services as specified in the Agreement unless otherwise governed by specific data protection terms.
- Customer's employees and authorised users who use the Services in connection with the business of the Customer;
- Any other individuals who are involved in or referred to in the content of communications or collaborations taking place through the Customer's use of the Services.
- Service account data which may comprise any of the following: name; telephone number; email address; physical address; title; role; profile information; application settings, login credentials (user ID, log in, account, passwords);
- Usage data which may comprise any of the following: device information (such as IP address, ISP, device and operating system type, operations system and client version, client version, type of microphone or speakers, connection type and related information, etc.); connection type and related information (e.g., connected over WiFi); system logs, including usage logs, backend logs, client logs; cookie identifiers; communications metadata, including Call Detail Records (CDRs) and traffic data;
- User generated content which may comprise any of the following: participants’ names or phone numbers; chat messages; text of inbound and outbound faxes; voicemails; text of inbound and outbound SMS; meetings notes; audio/video streams in transit; meeting or call recordings; content of contact center interactions (e.g., emails, social media posts, call recordings, chat, etc.); transcriptions of recorded calls or meetings; summaries of recorded calls or meetings; meeting history; shared files, pictures, and links; message attachments, such as notes, tasks, events, code snippets, and .gifs; folder creations; search history; online presence and status messages; user feedback.
1. Definitions
1.1. Agreement shall mean and refer to the main written or electronic agreement between Customer and RingCentral for the provision of any of the RingCentral Services to the Customer.
1.2. CPPA shall mean and refer to the California Privacy Protection Agency, which is vested with the full administrative power, authority, and jurisdiction to implement and enforce the CPRA.
1.3. CPRA shall mean and refer to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any implementing regulations promulgated thereunder.
1.4. Customer Personal Information shall mean and refer to any Personal Information that RingCentral processes on behalf of Customer as a Service Provider under the Agreement.
1.5. Personal Information shall mean and refer to any information relating to an identified or identifiable person or individual and also includes personal data, as defined by applicable US State Privacy Laws.
1.6. Sell shall have the same meaning as set forth in the CPRA.
1.7. Share shall have the same meaning as set forth in the CPRA.
1.8. Service Provider shall mean and refer to a service provider or subcontractor, as defined by applicable US State Privacy Laws, that processes Customer Personal Information on Customer’s behalf or on RingCentral’s behalf, where RingCentral is a Service Provider to Customer, for the purposes of the Agreement.
1.9. US State Privacy Laws shall mean and refer to all United States data protection and privacy laws which may be applicable to RingCentral in the processing of Customer Personal Information as part of the performance of the Services provided to Customer under the Agreement.
2. Scope of US Privacy Terms
2.1. These US PrivacyTerms will apply only to the extent that RingCentral processes Customer Personal Information on behalf of a Customer as a Service Provider under US State Privacy Laws, where such processing is described in Annex I of the DPA.
3. Roles and Responsibilities
3.1. Purpose Limitation. RingCentral shall process the Customer Personal Information for the purposes of the performance of the Services as described in the Agreement and the DPA except where otherwise required or permitted by US State Privacy Laws. Such purposes include providing, monitoring, supporting, improving, and maintaining the Services, including through automated means such as artificial intelligence.
3.2. CPRA. For the purposes of Customer Personal Information subject to the CPRA, RingCentral will:
3.2.1. Comply with the applicable CPRA obligations.
3.2.2. Provide the same level of privacy protection as required by CPRA.
3.2.3. Notify the Customer if it can no longer meet its CPRA obligations.
3.2.4. Not Sell or Share Customer Personal Information.
3.2.5. Not retain, use, or disclose Customer Personal Information for any other purpose other than as agreed upon in the Agreement, outside the direct business relationship between the Parties, or as permitted by CPRA.
3.2.6. Not combine Customer Persona Information it receives from, or on behalf of, Customer with Personal Information it receives from, or on behalf of, another person, or collects from its own interaction with the End User, subject to the exceptions under CPRA, including that RingCentral may combine Customer Personal Information to perform any business purpose as defined in the California Consumer Privacy Act Regulations, California Code of Regulations, Title 11, Division 6, Chapter 1, sections 7000 et seq.
3.2.7. Cooperate with Customer, upon Customer’s reasonable notice, to determine reasonable and appropriate steps to stop and remediate unauthorised use of Customer Personal Information, to the extent there is any unauthorised use of Customer Personal Information.
4. Service Providers
4.1. Notification. Where required by US State Privacy Laws, RingCentral will notify Customer before it engages another Service Provider. Where required by US State Privacy Laws, RingCentral will allow Customer thirty (30) calendar days to object to such engagement on reasonable grounds relating to the protection of Customer Personal Information.
4.2. Agreements. RingCentral shall impose data protection terms on such Service Providers that protect Customer Personal Information to an equivalent standard provided for by these US Privacy Terms.
5. Audits
5.1. Where required by US State Privacy Laws, RingCentral will cooperate with Customer to make available all information in RingCentral’s possession to demonstrate compliance with its obligations under US State Privacy Laws as applicable. Additionally, both Parties acknowledge it is the Parties’ intention ordinarily to rely on the provision of the security reports in Section 4 of the DPA to verify RingCentral’s compliance with these US Privacy Terms and applicable US State Privacy Laws.
6. US Educational Institutions
6.1. COPPA. Information about usage of the Services in accordance with COPPA requirements is available on the Children’s Privacy Notice and School/Parental Notification, located at https://www.ringcentral.com/legal/childrens-privacy-notice-school-parental-notification.html, and incorporated by reference. If applicable, Customer hereby agrees to obtain and provide, or cause a School Partner to obtain and provide, verifiable consent to RingCentral’s collection, use, and disclosure of Personal Data in accordance with the Children’s Privacy Notice and School/Parental Notification. If Customer is purchasing RingCentral for Education, pricing tiers are described more fully at https://www.ringcentral.com/sg/en/office/industry-solutions/education-cloud-phone-systems.html.
6.2. FERPA. For the purposes of the Agreement, if Customer is an educational agency or institution subject to the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), RingCentral shall operate as a school official with legitimate educational interests in obtaining or accessing Personally Identifiable Information, including Education Records pertaining to students (as those terms are defined under FERPA). RingCentral shall only use or disclose such Personally Identifiable Information in accordance with the requirements of 34 C.F.R. § 99.33(a) (governing the use and redisclosure of Personally Identifiable Information from Education Records) as is reasonably necessary to provide the RingEX Services or for RingCentral to otherwise perform its obligations under the Agreement. Customer acknowledges RingCentral is under its direct control with respect to the use and maintenance of Education Records, and Customer agrees to be solely responsible for protection of Personally Identifiable Information from Educational Records.
7. Miscellaneous
7.1. Unless the above explicitly states otherwise the terms and conditions of the Agreement, shall apply to the US Privacy Terms. In case of any conflict between the terms of the Agreement, the terms of the RingCentral Security Addendum, the terms of the DPA, and the terms of these US Privacy Terms, the terms of these US Privacy Terms prevail with regard to Personal Information processing activities subject to US State Privacy Laws.
7.2. The governing law and forum that apply to the Agreement also apply to these US Privacy Terms.
7.3. Contact information for privacy inquiries: privacy@RingCentral.com.