Docebo – Data Processing Addendum
Ver. 8.0 of April 2024
This Data Processing Addendum (this “DPA”) represents the Parties’ agreement regarding the Processing of Customer Data, including Customer Personal Data, by Docebo on behalf of the Customer for the purposes of carrying out the Services, and it forms part of the Agreement, as updated from time to time. Capitalized terms used in this DPA, but not otherwise defined herein, shall have the same meaning in this DPA as are given to them in the Agreement. Customer’s signature to the Agreement shall constitute a signature to this DPA and the Standard Contractual Clauses including the annexes and appendices (as applicable).
1. Definitions.
“Customer Personal Data” means any Personal Data belonging to the Customer that is Processed by Docebo in the course of providing the Services under the Agreement.
“Data Controller” means the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced.
“Data Privacy Principles” means the Data Privacy Principles contained in the applicable Data Privacy Framework; as may be supplemented, amended, superseded or replaced.
“Data Processor” means any natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of a Data Controller or on the instruction of another Data Processor acting on behalf of a Data Controller.
“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
“Data Subject” means an identified or identifiable natural person whom Personal Data relates. It includes the definition of “Consumer” under CCPA, VCDPA, UCPA, CPA and CTCPA.
“Docebo Affiliate” means Docebo affiliates, subsidiaries or sister companies (companies controlled by the same parent company) that may assist in the performance of the Services and may be engaged in the Processing of Customer Personal Data.
“EU Data Protection Law” means all data protection laws and regulations applicable to European Economic Area, including (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (b) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (c) applicable national implementations of (a) and (b).
“Non-EU Data Protection Laws” means the UK Data Protection Law; the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and its implementing regulations (the “CCPA”); Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Utah Consumer Privacy Act when effective (“UCPA”), and the Colorado Privacy Act and related regulations (“CPA”) the Connecticut Act Concerning Personal Data Protection and Online Monitoring (“CTCPA”), the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018 (“LGPD”); the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”); the Swiss Data Protection Act (the “FADP”); and the Personal Information Protection Law of the People’s Republic of China (“PIPL”).
“Personal Data” means (i) any data or information relating to an identified or identifiable living individual, including information that can be linked, directly or indirectly, with a particular Data Subject or (ii) is otherwise “personal information”, “personally identifiable information” or similarly defined information under the applicable Data Protection Laws.
“Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Customer Data, including Personal Data, whether or not by automated means, according to the definitions given to such terms in the GDPR.
“Security Breach” means a breach of Docebo’s security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed.
“Sensitive Data” means any information that requires a heightened degree of data protection under Data Protection Laws including, but not limited to: (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; or (e) other information that falls within the definition of “special categories of data” under EU Data Protection Law, UK Data Protection Law, or within the definition “sensitive personal information” under the CCPA.
“Services” means all services provided by Docebo in accordance with, and as defined in, the Agreement.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, attached hereto as Annex C; as may be amended, superseded, or replaced.
“Sub-processor” means any Docebo Affiliate and any sub-contractor engaged in the Processing of Customer Personal Data in connection with the Services.
“Supervisory Authority” means any regulatory, supervisory, governmental, or other competent authority with jurisdiction or oversight over compliance with the Data Protection Laws.
“UK Data Protection Law” means all data protection laws and regulations applicable to the United Kingdom, including (a) the Data Protection Act 2018 and (b) the GDPR, as incorporated into the United Kingdom law under the Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit)) Regulations 2019 (“UK GDPR”), each as amended, supplemented, or replaced from time to time.
“Business Purpose”, “Commercial Purpose”, “Deidentify” and “Share” have the respective meanings given in the CCPA. “Sell” have the meaning given in the CCPA, VCDPA, UCPA, CPA and CTCPA. In the event of a conflict in the meanings of terms in the CCPA, VCDPA, UCPA, CPA and CTCPA, the parties agree that the definition in the applicable Non-EU Data Protection Laws shall apply to the extent of the conflict.
2. Appointment and Data Processing.
2.1 Subject to the terms of the Agreement, the Customer is the Data Controller of the Customer Personal Data (or a Data Processor and has been instructed by and obtained the authorization of the relevant third-party Data Controller(s)) to enter into this DPA in the name and on behalf of such Data Controller(s). The Customer is responsible for obtaining all of the necessary authorizations and approvals to enter, use, provide, store, and Process Customer Personal Data to enable Docebo to provide the Services.
2.2 The Customer, as the Data Controller, hereby appoints Docebo as the Data Processor in respect of all Processing operations required to be carried out by Docebo on Customer Personal Data in order to provide the Services in accordance with the terms of the Agreement. Docebo is the Processor of Customer Personal Data, except where Docebo acts as a Controller processing Customer Personal Data in accordance with the list of purposes in Section 2.5.
2.3 Docebo shall collect, retain, use, disclose, and otherwise Process the Customer Personal Data only in accordance with the Customer’s documented, lawful instructions as set forth in the Agreement and this DPA, as necessary to comply with applicable Data Protection Laws, or as otherwise agreed in writing. The Parties agree that the Agreement, this DPA together with the Documentation and the Customer’s configuration and implementation of the Services, set out Customer’s complete instructions to Docebo in relation to the Processing of Customer Personal Data. Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties and shall be subject to any additional costs that Docebo may incur in implementing such additional instructions. If, for any reason, Docebo refuses to comply with any such additional instructions, then the Customer may terminate the Agreement (and this DPA) except if the Customer’s instructions infringe Data Protection Laws or other applicable law.
2.4 The Customer instructs Docebo to Process collected Customer Personal Data for the following purposes: (a) Processing in accordance with the Agreement and this DPA; (b) Processing initiated by Docebo Software users in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by the Customer where such instructions are consistent with the terms of the Agreement. Docebo will Process Customer Personal Data pursuant to this DPA for the duration of the Services, and this DPA will terminate when Customer Personal Data is no longer stored and Processed by Docebo.
2.5 Docebo may Process some Customer Personal Data for its own legitimate business purposes provided the Processing is strictly necessary, proportionate and consist of one of the following purposes: (a) billing, account, and Customer relationship management; (b) complying with legal obligations, tax requirements, associated agreements and potential disputes, (c) virus scanning and fraud preventions and (d) once Customer Personal Data are anonymized and aggregated, for the development and improvement of the applicable artificial intelligence functionalities and its underlying technologies (unless the Customer, or its designated administrators, has instructed Docebo to refrain from such use or processing via the opt-out mechanism available in the Docebo platform, or by contacting Docebo directly). Outside these purposes, Docebo acknowledges that it has no right, title, or interest in the Customer Personal Data and may not sell, rent, or lease the Customer Personal Data to anyone.
2.6 The subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data that will be Processed, and the categories of Data Subjects whose Personal Data is transferred to Docebo as set out in the Agreement, including this DPA, are specified in Annex B, attached hereto.
2.7 Unless otherwise agreed by Docebo, the Customer will not provide (or cause to be provided) any Sensitive Data to Docebo for processing under the Agreement, and Docebo will have no liability whatsoever for Sensitive Data, whether in connection with a Security Breach or otherwise.
2.8 Docebo shall maintain complete, accurate, and up to date written records of all Processing activities carried out on behalf of the Customer containing information as required under any applicable Data Protection Laws.
2.9 Through the use of the Docebo Software, by means of Docebo’s marketplace integrations features, as further described in the Agreement, the Customer, at their sole discretion and via its administrator(s), may elect to grant third-parties visibility to Customer Data. Nothing in this DPA prohibits (and, for the avoidance of doubt, Sections 3, 7 and 10 do not apply) Docebo transferring or making visible Customer Data to third-parties consistent with this Section 2.9, as directed by the Customer or the End Users through the Docebo Software.
3. Sub-Processing Provisions.
3.1 General.
(a) The Customer acknowledges and agrees that Docebo Affiliates may be retained as Sub-processors, and Docebo and Docebo Affiliates, respectively, may engage third-party Sub-processors in connection with the provision of the Services, to fulfil its contractual obligations under this DPA, or to provide certain services on its behalf, such as providing support services to Docebo. Docebo and Docebo Affiliates have entered into and will maintain a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
(b) Docebo currently utilizes the Sub-processors set forth in Annex D, which are authorized by the Customer. Docebo shall notify the Customer of any addition or replacement of Sub-processors, all such notification will be sent via Customer’s email as provided in Customer’s Docebo platform and/or Customer’s designated administrators via the Docebo software. The Customer shall notify Docebo within thirty (30) days of the date of its receipt of Docebo’s notice whether it has any objections to the list of Sub-processors, in which case, the Parties will meet to discuss the Customer’s objections, acting reasonably and in good faith. If Docebo cannot reasonably accommodate a solution to the Customer’s objection, then the Customer may terminate the Agreement and this DPA, by notice to Docebo. If the Customer does not object to the change(s) within thirty (30) days of the date of its receipt of Docebo’s, notice, then the amendment(s) in the notice and the use of the new Sub-processor will be deemed accepted by the Customer.
(c) Docebo will remain responsible for any acts or omissions of its Sub-processors to the same extent that Docebo would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.
3.2. Docebo Affiliates. The Parties understand, acknowledge, and agree that, as of the date of the execution and delivery of the Agreement, Docebo S.p.A – Via Parco 47 – 20853 Biassono (MB) – ITALY, is the Docebo Affiliate who owns, develops, maintains, and operates the Docebo Software.
4. Compliance with Laws.
4.1 Each Party will comply with the Data Protection Laws applicable to it and binding on it in its respective access to and performance of the Services.
4.2 The Customer acknowledges that Docebo is not responsible for determining the requirements of all laws applicable to the Customer’s business or that Docebo’s provision of the Services meets or will meet the requirements of such laws. The Customer will ensure that Docebo’s Processing of Customer Personal Data, when done in accordance with Customer’s instructions, will not cause Docebo to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Docebo shall promptly notify the Customer, in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from the Customer violates any Data Protection Laws.
4.3 The Customer represents and warrants that (a) it has complied, and will continue to comply with Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Docebo; and (b) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Docebo to Process Customer Personal Data for the purposes described in the Agreement.
4.4 The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired Customer Personal Data. Without prejudice to the generality of the foregoing, the Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any content created, sent, or managed through the Services.
5. Security Responsibilities of Docebo.
5.1 Docebo shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Security Breaches and designed to preserve the security and confidentiality of Customer Data in accordance with Docebo’s “Information Protection and Security Standards” (the “IPSS”) document, attached hereto as Annex A as it is in effect on the Effective Date of the Agreement, and as it is amended, from time to time, and available at https://www.docebo.com/tos/Docebo_DPA_Annex_A_EN.pdf. Docebo reserves the right to make changes to the IPSS, from time to time, to reflect technological developments and industry best practices; provided, always, that such changes do not result in any objective degradation to the security of Customer Data, the manner in which the Services are provided or which fall below the standard of any applicable law.
5.2 The technical and organizational security measures implemented by Docebo include (and will include at all material times), at a minimum, the following:
(a) Docebo has implemented and will maintain appropriate procedures to ensure that unauthorized persons will not have access to Customer Data and to the systems used to process Customer Data, and that any persons authorized to have access to Customer Data will protect and maintain its confidentiality and security;
(b) Docebo has implemented and will maintain appropriate measures to ensure that all employees and contractors involved in the processing of Customer Data are authorized personnel with a need to access the data, are bound by appropriate confidentiality obligations, and have undergone appropriate training in the protection and handling of Customer Data;
(c) Docebo will take reasonable steps to ensure the reliability of any personnel who have access to Customer Data; and
(d) Docebo will not copy or reproduce any Customer Data, except as technically necessary to provide the Services or as otherwise established in the Agreement or to comply with statutory data retention rules.
5.3 The Customer declares and confirms, as of the Effective Date of the Agreement, to have evaluated the security measures implemented by Docebo as providing an appropriate level of protection for the Customer Data, taking into account the risk associated with the processing of such information.
5.4 Notwithstanding the above, the Customer agrees that except as provided in this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials and any API credentials (if applicable), protecting the security of Customer Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
6. Security Breach Provisions.
6.1 If Docebo becomes aware of a Security Breach, then Docebo shall, without undue delay: (a) notify Customer of the Security Breach; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
6.2 In the event of a Security Breach, Docebo shall provide the Customer with all reasonable assistance in dealing with the Security Breach, in particular in relation to making any notification to a Supervisory Authority or any communication to Data Subject. In order to provide such assistance, and taking into account the nature of the Services and the information available to Docebo, the notification of the Security Breach shall include, at a minimum, the following:
(a) A description of the nature of the Security Breach including the categories and approximate number of data records concerned;
(b) The likely consequences of the Security Breach; and
(c) The measures taken or to be taken by Docebo to address the Security Breach, including measures to mitigate any possible adverse consequences;
6.3 Where, and insofar as, it is not possible for Docebo to provide such information at the time of the notice, then such notice shall nevertheless be made, in as complete a form as possible, and the remaining required information may be provided by Docebo, in phases and as it shall become available, without undue delay.
6.4 The Customer agrees that:
(a) Any Unsuccessful Security Incident shall not be subject to the obligations imposed on Docebo under this Section 6. An “Unsuccessful Security Incident” occurs where there has been no unauthorized access to Customer Personal Data or to any Docebo controlled systems used to Process Customer Personal Data which may include, without limitation, pings and other broadcast attacks on firewalls or edge server, port scans, unsuccessful login attempts, denial of service attack, packet sniffing or similar incidents; and
(b) Docebo’s obligation to report or respond to a Security Breach under this Section 6 is not and will not be construed as an acknowledgement by Docebo of any fault or liability of Docebo with respect to the Security Breach.
6.5 Notification of a Security Breach shall be made via email as provided in the Customer’s Docebo platform.
7. Data Quality, Retrieval, Return, and Destruction.
7.1 Docebo will update, correct, or delete Customer Personal Data on the Customer’s request.
7.2 Upon termination or expiration of the Agreement (including any Transition Services period, if applicable), when requested by Customer, Docebo will (at the Customer’s election) delete or return to the Customer all of the Customer Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent that Docebo is required by applicable law to retain some or all of the Customer Personal Data, or to the Customer Personal Data it has archived on back-up systems, which Docebo shall securely isolate, protect from any further Processing, treat as Confidential Information of the Customer, and eventually delete in accordance with Docebo’s deletion policies, except to the extent required by applicable law.
7.3 On request from the Customer, Docebo will provide a portable copy of the Customer Personal Data in accordance with the Data Protection Laws with respect to Personal Data.
7.4 Any costs incurred by Docebo arising from Sections 7.1 to 7.3 shall be borne by Docebo. Any further costs incurred by Docebo arising from the Customer’s specific requests that are different from the ones described in Sections 7.1 to 7.3 shall be borne by the Customer. Docebo shall provide an estimate of any such costs, which shall be agreed in writing by the Parties.
7.5 Notwithstanding the general requirements of Section 7.2, the Customer acknowledges that the Docebo Software relies on Amazon Web Services (“AWS”), and that Docebo can only perform logical deletion. Terminated Customer Data stored in the Docebo Software is rendered unreadable or disabled by AWS and the underlying storage areas on the AWS network that were used to store the content are wiped, prior to being reclaimed and overwritten, in accordance with AWS standard policies including a secure decommissioning process. Docebo will carry out the logical deletion within sixty (60) days from the termination of the Agreement and, on the Customer request and may provide the Customer with written confirmation of such deletion.
8. Information Security Assessment.
8.1 Docebo will provide to the Customer and its duly authorized designees, during the term of this DPA, the information necessary to demonstrate the adequacy of Docebo’s information security measures and compliance with each applicable Data Protection Law.
8.2 Docebo has obtained the third-party certifications and audits set forth in Docebo’s IPSS. Upon the Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Docebo shall make available to the Customer (or the Customer’s independent, third-party auditor that is not a competitor of Docebo) a copy of Docebo’s most recent third-party audits or certifications, as applicable.
8.3 Upon request by Customer, Docebo will provide pre-filled and up to date information security related questionnaires based on commercially reasonable and industry benchmarked standards of reasonable comprehensiveness and completeness (e.g., CSA CAIQ and SFG SIG) that allow the Customer to review and assess how security risks are managed by Docebo. The Customer acknowledges and agrees that, provided that such questionnaires adhere to the foregoing standard, such questionnaires shall be deemed to fulfill any Customer supplier’s assessment initiative and the Customer agrees to waive any submission to Docebo of any other questionnaire covering materially the same information, which is based on any other format.
8.4 The Customer is responsible for reviewing the information made available by Docebo relating to data security and making an independent determination as to the adequacy of the provisions of this DPA in relation to the provision of the Services in meeting the Customer’s requirements and legal obligations.
8.5 Docebo will allow for and contribute to verifications, including inspections, related to information and data security matters, subject to the following conditions:
(a) The Customer may commission, at its own expenses, an independent expert, whose appointment shall be subject to Docebo’s prior written approval, which shall not be unreasonably withheld, conditioned, or delayed; or
(b) The Customer may directly perform all reasonable activities to check the measures taken by Docebo in furtherance of such matters, according to a methodology and timetable to be agreed upon between the Parties (acting reasonably and in good faith), and in accordance with Docebo’s standard, commercially reasonable policies with respect to the conduct of such verifications, as they may then be in effect.
(c) Verifications will be conducted no more than annually except cases required by law, when required by instruction of Supervisory Authority, or following a Security Breach.
8.6 Subject to Docebo’s prior written approval, the Customer may conduct, directly or through third parties (whose appointment shall also be subject to Docebo’s prior written approval), and at its own expenses, penetration tests and vulnerability scans. Docebo shall allow such activities according to a methodology and timetable that will be agreed upon between the Parties (acting reasonably and in good faith) before starting any pen test activities, and in accordance with Docebo’s standard, commercially reasonable policies with respect to such penetration tests and vulnerability scans, available in the Docebo Trust Center upon Customer’s request. Such activities will be conducted on an annual basis and in any case no more than once every four months, upon agreement with Docebo. Customer will promptly provide to Docebo a copy of any resulting report of any penetration test or vulnerability scan completed.
9. Assistance on Data Protection Impact Assessment. To the extent required under applicable Data Protection Laws, Docebo will (taking into account the nature of the processing and the information available to Docebo) provide all reasonably requested information regarding the Services to enable the Customer (or, where Customer is a Data Processor, the relevant Data Controller’s) to carry out data protection impact assessments or prior consultations with data protection authorities, as required by such Data Protection Laws. Docebo shall comply with the foregoing by: (a) complying with Section 8 (Information Security Assessment); (b) providing the information contained in the Agreement, including this DPA; and (c) if the foregoing clauses (a) and (b) are insufficient for the Customer to comply with such obligations, upon request, providing additional reasonable assistance (at the Customer’s expense).
10. International Transfers.
10.1 The Customer acknowledges that Docebo may transfer and process Customer Personal Data to and in the United States and anywhere else in the world where Docebo, Docebo Affiliates or its Sub-processors maintain data processing operations as set out in this Section 10 in accordance with Section 3. Docebo shall, at all times, take all such measures as are necessary to ensure that such transfers are made in compliance with the requirements of Data Protection Laws.
10.2 The Customer agrees that Docebo and its Sub-processors may carry out data Processing operations in countries that are outside of the country in which the Customer Personal Data originates even where the Parties agreed that Docebo will host Customer Personal Data in a specific country and, if such Processing is necessary for the operation of the Docebo Software or to provide support-related services to, or other services requested by, the Customer. Specifically, the Customer agrees that the provision of support services, as set out in the Agreement, may require access to Customer Personal Data by Docebo’s operators from Europe, the United States, the United Kingdom, and/or Canada. In the case of any international Processing of Customer Personal Data, the transfer of Customer Personal Data will be subject to the transfer mechanisms set out in this Section 10.
10.3 To the extent that Docebo is a recipient of and/or transfers Customer Personal Data protected by EU Data Protection Laws outside of Europe to a country that is not recognized as providing an adequate level of protection for Personal Data by the European Commission (as described in applicable EU Data Protection Law), the Parties agree to:
(a) rely on the Data Privacy Framework as a legal basis for transfers of Customer Personal Data in the United States, in compliance with the Data Privacy Principles or
(b) abide by the Standard Contractual Clauses, which are incorporated by reference and form an integral part of this DPA, when the Data Privacy Framework will not be applicable or is invalid under the applicable Data Protection Law. For the purposes of the descriptions in the Standard Contractual Clauses, Docebo agrees that it is the “data importer” and the Customer is the “data exporter”. To the extent that: (a) the Customer is acting as a Data Controller of Customer Personal Data and Docebo is acting as a Data Processor of Customer Personal Data, Module Two of the Standard Contractual Clauses shall apply to such transfers of Customer Personal Data; and (b) the Customer is acting as a Data Processor of Customer Personal Data and Docebo is acting as a Data Processor of Customer Personal Data, Module Three of the Standard Contractual Clauses shall apply to such transfers of Customer Personal Data.
10.4 To the extent that Docebo is a recipient of Customer Personal Data originating from Switzerland and the transfer of Customer Personal Data are subject to the FADP, the Parties agree to abide by the Standard Contractual Clauses including the following additional requirements specific to such transfers only:
(a) the term ‘Member State’ shall be amended to include Switzerland;
(b) Any references to the GDPR are to be understood as references to the FADP;
(c) The competent supervisory authority under Clause 13 of the Standard Contractual Clauses shall be the Federal Data Protection and Information Commissioner.
(d) The applicable law for contractual claims under Clause 17 of the Standard Contractual Clauses shall be Swiss law.
(e) Any contractual claim arising under Clause 18(b) of the Standard Contractual Clauses shall be resolved by the courts of Switzerland.
10.5 To the extent that Docebo is the recipient of Customer Personal Data governed by UK Data Protection Law in a country that is not recognized as providing an adequate level of protection for Personal Data as described in UK Data Protection Law, the Parties agree to:
(a) rely on the Data Privacy Framework as a legal basis for transfers of Customer Personal Data in the United States, in compliance with the Data Privacy Principles or
(b) abide by the United Kingdom International Data Transfer Addendum as set forth in Annex E, which is incorporated by reference and forms an integral part of this DPA, when the Data Privacy Framework will not be applicable or is invalid under the applicable Data Protection Law.
10.6 To the extent Docebo adopts a lawful alternative data export mechanism for the transfer of Customer Personal Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable Data Protection Laws). In addition, if and to the extent that a court of competent jurisdiction or Supervisory Authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Customer Personal Data to any country not recognized as providing an adequate level of protection for Personal Data as described in the applicable Data Protection Laws, Docebo may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of Customer Personal Data.
11. Subject Access Requests and Other Communications.
11.1 Docebo shall, to the extent it may be legally permitted, promptly notify the Customer if Docebo receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (i.e., “right to be forgotten”), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making, or any other request to exercise rights granted by Data Protection Laws (with each such request being a “Data Subject Request”). If Docebo receives a Data Subject Request in relation to Customer Personal Data, Docebo will advise the Data Subject to submit their request to the Customer and the Customer will be responsible for responding to such request. For the avoidance of doubt, Docebo shall not be obligated to grant a Data Subject Request where the Data Subject is not entitled to the relief sought.
11.2 Docebo shall, at the request of the Customer, and taking into account the nature of the Processing, assist the Customer (or, where Customer is a Data Processor, the relevant Data Controller’s) by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request under the Data Protection Laws and/or in demonstrating such compliance, where possible; provided that (a) the Customer is itself unable to respond without Docebo’s assistance and (b) Docebo is legally permitted to do so and the response to such Data Subject Request is required under the Data Protection Laws. To the extent legally permitted, the Customer shall be responsible for any reasonable costs arising from the Customer’s request for such assistance by Docebo.
12. Permitted Disclosures of Customer Data.
12.1 Docebo may disclose Customer Data to the extent such data is required to be disclosed by law, by any government or regulatory authority, or by a valid and binding order of a law enforcement agency (such as a subpoena or court order), or other authority of competent jurisdiction.
12.2 If any law enforcement agency government or regulatory authority sends Docebo a demand for disclosure of the Customer Data, then Docebo will attempt to redirect the law enforcement agency government or regulatory authority to request that data directly from the Customer and Docebo is entitled to provide the Customer’s basic contact information to such law enforcement agency government or regulatory authority.
12.3 If compelled to disclose Customer Data pursuant to Section 12.1, then Docebo will give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy.
13. Liability; Limitations. Each Party’s and all of its Affiliates’ liability, taken together and in the aggregate, arising out of or related to this DPA shall, in all cases, be limited to the extent that the same shall have been caused by such Party’s actions, and shall be further subject to the exclusions and limitations of liability set forth in the Agreement, to the extent permitted by applicable Data Protection Laws.
14. Entire Agreement. This DPA supersedes and replaces all prior representations, understandings, communications, and agreements by and between the Parties in relation to the matters set forth in this DPA.
15. Jurisdiction Specific Terms.
15.1 To the extent Docebo Processes Customer Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in this Section 15, then the terms specified in Section 15, with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of the DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of the DPA, the applicable Jurisdiction-Specific Terms will prevail, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Docebo.
15.2 State of California (US).
(a) As it relates to the DPA, each of the following defined terms shall be further interpreted to include certain terms as they are defined under the CCPA: (i) “Data Controller” shall include “Business”; (ii) “Data Processor” shall include “Service Provider” and (iii) “Personal Data” shall include “Personal Information”.
(b) Docebo shall Process Customer Personal Data only for the Business Purposes described in the DPA and in accordance with the Customer’s documented lawful instructions as set forth in the DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “Service Providers” under the CCPA.
(c) Notwithstanding any use restriction contained elsewhere in the DPA, Docebo shall retain, use of disclose Customer Personal Data only to perform the Services and/or in accordance with the Customer’s documented lawful instructions, except where otherwise required by applicable law.
(d) Docebo shall not Sell or Share Customer Personal Data or combine for any purpose other than to perform the Services specified in the Agreement.
(e) Docebo may Deidentify Customer Personal Data as part of performing the Services specified in the DPA and the Agreement and in accordance with limitation on Services Providers under the CCPA. Docebo commits not to re-identify any Customer deidentified data Docebo processes on behalf of Customer.
(f) Where Sub-processors Process Customer Personal Data, Docebo shall to ensure that such Sub-processors are Service Providers under the CCPA with whom Docebo has entered into a written contract that includes terms substantially similar to the DPA or are otherwise exempt from the CCPA’s definition of “sale”. Docebo conducts appropriate due diligence on its Sub-processors.
(g) Docebo’s obligations regarding Data Subject Requests, as described in Section 11 of the DPA, shall apply to Consumer’s rights under the CCPA.
(h) Docebo will notify Customer if Docebo determines that it can no longer meet its obligations under the CCPA.
15.3 The People’s Republic of China (Excluding Hong Kong, Macao, and Taiwan).
(a) As it relates to the DPA, the following terms shall be defined as below:
(i) “Personal Data” means “personal information” defined under the Personal Information Protection Law of the People’s Republic of China (“PIPL”);
(ii) “Data Controller” means “personal information processor” defined under the PIPL;
(iii) “Data Processor” means “entrusted party” under article 21 of the PIPL;
(iii) “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Customer Data, including Personal Data, whether or not by automated means, including but not limited to any collection, storage, use, handling, transmission, provision, disclosure and deletion thereof;
(iv) “Sensitive Data” means the personal information that is likely to result in damages to the personal dignity of any natural person or damages to his or her personal or property safety once divulged or misappropriated, including the personal information regarding biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14, or any other information that falls within the definition of “sensitive personal information” under the PIPL.
(b) The Parties acknowledge and agree that each Sub-processor listed in Annex D is a sub-entrusted party under article 21 of the PIPL and Docebo’s engagement of such sub-entrusted party has been agreed by Customer.
(c) Customer shall obtain all approval, authorization, certification, permission and/or exemption from competent government authorities or qualified third party professional institutions that are required for Customer to process, and engage Docebo as the entrusted party to process (including transferring out of China), the Customer Personal Data.
(d) Where Docebo or any Sub-entrusted party outside the People’s Republic of China (excluding Hong Kong, Macao, and Taiwan) Processes Customer Personal Data to perform the Services according to the Agreement and the DPA, it shall be deemed a cross-border Personal Data transfer under the PIPL and both Customer and Docebo shall implement adequate and applicable procedural and contractual measures to ensure that such transfers are made in compliance with the requirements of the PIPL. If the Customer requires the parties enter into the Standard Contract for outbound cross-border transfer of Personal Information, promulgated by the Cyberspace Administration of China under the Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Information, effective on 1 June 2023 (“Chinese SCC”), Docebo will send such Chinese SCC for the Customer to fill in and sign, which will form an integral part of this DPA.
16. Conflicts. In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) will prevail: (a) the Standard Contractual Clauses; then (b) this DPA; and then (c) the Agreement.
17. Translations. Foreign translations of this DPA are reading translations only. In the event of any questions of interpretation or ambiguities, the English language version of this DPA will be binding and prevail.
18. Annexes. The following Annexes are provided via the links except for Annex B and are incorporated herein by reference.
Annex A – “Information Protection and Security Standards”. This annex is available, as amended from time to time, at: https://www.docebo.com/tos/Docebo_DPA_Annex_A_EN.pdf.
Annex B – “Details of Data Processing and Notification Referents”.
Annex C – “European Union Standard Contractual Clauses”. This annex is available, as amended (by law only) from time to time, at: https://www.docebo.com/tos/Docebo_DPA_Annex_C_EN.pdf.
Annex D – “Sub-processors List”. This annex is available, as amended from time to time in accordance with Section 3.1, at: https://tos.docebo.com/Docebo-sub-processors-list.pdf.
Annex E – “United Kingdom International Data Transfer Addendum”. This annex is available, as amended (by law only) from time to time, at: https://tos.docebo.com/DPA_Annex_+E_UK_SCCs.pdf
ANNEX B
Details of Data Processing and Notification referents
DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- The categories of Data Subjects are:
- Customer personnel
- Personnel of Customer’s customers and partners
- Other:
Categories of personal data transferred
- The categories of Personal Data transferred are determined and controller by the Customer may include:
- First and last name
- Contact details (email address)
- Formal learning tracking information (course completion status, final results/score, certificates)
- Informal learning tracking (asset publication/fruition tracking, asset ranking)
- Questions/Answers tracking
- Learn skill mapping/evaluation
- Other:
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- No sensitive data will be transferred from the data exporter to the data importer.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- The frequency of the transfer will be on a continuous basis.
Nature of the processing.
- The nature of the Processing of Personal Data is to provide the Services in accordance with the Agreement.
Purpose(s) of the data transfer and further processing.
- Docebo will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the DPA, and as further instructed by Customer in its use of the Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
- Unless otherwise agreed in writing, the period for which the Personal Data will be retained until sixty (60) days following the termination or expiration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
The subject matter and nature of the processing by Sub-processors are specified in Annex D of the DPA. The duration of the processing carried out by Sub-processors will be until sixty (60) days following the termination or expiration of the Agreement unless otherwise agreed.