Data Processing Addendum

Last Edit: Jan 08, 2024

1. Introduction

This Data Protection Addendum (“Addendum”) is entered into as and is supplemental to, and made pursuant to, the Platform Terms of Service by and between Kajabi, LLC, a California limited liability company (“Kajabi”), and Hero.  This Addendum applies to Kajabi’s Processing of Personal Data under the Platform Terms of Service between Kajabi and Hero for Kajabi’s provision of Services (the “Agreement”).

Hero enters into this Addendum on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates.  For the purposes of this DPA only, and except where indicated otherwise, the term “Hero” shall include Hero and Affiliates.  

This Addendum shall become legally binding upon Hero entering into the Agreement.

2. Definitions

Capitalized terms that are used but not defined in this Addendum have the meanings given in the Agreement.

a. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.

b. “Applicable Data Protection Laws” means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data.

c. “Contact Data” means the Personal Data that Kajabi Processes as a controller, such as account information, payment information, on-site visitor information, and event attendee information.

d. “Customer Data” means all information or data, electronic or otherwise, that is provided to Kajabi by, or on behalf of Customer through the use of the Platform. Customer Data includes Content as defined in the Agreement.    

e. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.

f. “Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

g. “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws.

h. “Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data being Processed by Kajabi. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.

i. “Service-Generated Data” means usage data and metadata that is generated through the use of the Services, including data generated through the use of customer support and other services unrelated to the Product. This Addendum applies to Service-Generated Data to the extent Service-Generated Data constitutes Personal Data.

j. “Services” means the collective products and services that may be provided by Kajabi as defined in the Agreement, including, without limitation the “Platform”.

k. “Subprocessor” means any third party authorized by Kajabi to Process any Personal Data.

3. General; Termination

a. This Addendum forms part of the Agreement and except as expressly set forth in this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum will govern.

b. Any liabilities arising under this Addendum are subject to the limitations of liability in the Agreement.  

c. This Addendum will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

d. This Addendum will remain in effect until, and automatically terminate upon, deletion of Personal Data or expiration or termination of the Agreement.  

4. Relationship of the Parties

a. Kajabi as Processor. The parties acknowledge and agree that with regard to the Processing of Customer Data, Hero may act as a controller or processor and Kajabi is a processor.  Kajabi will process Customer Data in accordance with Hero’s instructions as outlined in Section 6 (Role and Scope of Processing).    

b. Kajabi as Controller. To the extent that any Service-Generated Data is considered Personal Data and as to any Contact Data, Kajabi is the controller with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://kajabi.com/policies/privacy.

5. Compliance with Law.

Each party will comply with its obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data.

6. Role and Scope of the Processing

a. Hero Responsibilities. Hero is solely responsible for obtaining and maintaining all the necessary consents prior to accessing, storing, uploading, processing, or storing Customer Data in the Service. Hero has provided, and will continue to provide, all notices and has obtained, and will continue to obtain, all consents, permissions, and rights necessary under applicable laws, including Applicable Data Protection Laws, for Kajabi to lawfully process Customer Data for the purposes contemplated by the Agreement. Hero has complied with all applicable laws, rules, and regulations, including Applicable Data Protection Laws, in the collection and provision to Kajabi and its Subprocessors of such Customer Data.

b. Hero Instructions. Kajabi will Process Personal Data only in accordance with Hero’s documented lawful instructions on behalf of the controller, except to the extent required by Applicable Data Protection Laws to which Kajabi is subject or where Kajabi becomes aware or believes that Hero’s instructions violate Applicable Data Protection Laws, in which case Kajabi will notify Hero. By entering into the Agreement, Hero instructs Kajabi to Process Customer Data to provide the Services and pursuant to any other written instructions given by Hero and acknowledged in writing by Kajabi as constituting instructions for purposes of this Addendum. Hero acknowledges and agrees that such instruction authorizes Kajabi to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement; and (c) does not conflict with the instructions given to the Hero by the controller to Process Personal Data.

7. Subprocessing

a. Hero specifically authorizes Kajabi to use its Affiliates as Subprocessors, and generally authorizes Kajabi to engage Subprocessors to Process Customer Data. In such instances, Kajabi: (i) will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this Addendum; and (ii) remains liable for compliance with the obligations of this Addendum and for any acts or omissions of the Subprocessor that cause Kajabi to breach any of its obligations under this Addendum.  

b. A list of Kajabi’s current Subprocessors, including their functions and locations, is available at this page or such other website as Kajabi may designate (“Subprocessor Page”), and may be updated by Kajabi from time to time in accordance with this Addendum.

c. If Kajabi appoints new Subprocessors or intends to make changes concerning the addition or replacement of Subprocessors, such changes will be made to our Subprocessor Page. You will have seven (7) calendar days from the date of our Subprocessor Page to object to the change. If You object to the appointment of a Subprocessor, Hero, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Hero will remain liable to pay any committed fees in the Agreement.

8. Security

a. Security Measures.  Kajabi will implement and maintain technical and organizational security measures designed to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Kajabi’s security standards referenced in the Agreement (“Security Measures”).

b. Hero Responsibility.  

(i) Hero is responsible for reviewing the information made available by Kajabi relating to data security and making an independent determination as to whether the Services meet Hero’s requirements and legal obligations under Applicable Data Protection Laws. Hero acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Hero to reflect process improvements or changing practices (but the modifications will not materially decrease Kajabi’s obligations as compared to those reflected in such terms as of the Effective Date).  

(ii) Hero agrees that, without limitation of Kajabi’s obligations under this Section 8, Hero is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk with respect to the Customer Data; (b) securing the account authentication credentials, systems and devices Hero uses to access the Services; (c) securing Hero’s systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Data.

c. Security Incident. Upon becoming aware of a confirmed Security Incident, Kajabi will notify Hero without undue delay unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Kajabi’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, (a) the details of the Security Incident as known or as reasonably requested by Hero, and (b) the steps taken, deemed necessary and reasonable by Kajabi, to mitigate the potential risks, to the extent that the remediation is within Kajabi’s reasonable control. Without prejudice to Kajabi’s obligations under this Section 8.c., Hero is solely responsible for complying with Security Incident notification laws applicable to Hero and fulfilling any third-party notification obligations related to any Security Incidents. Kajabi’s notification of or response to a Security Incident under this Section 8.c. will not be construed as an acknowledgement by Kajabi of any fault or liability with respect to the Security Incident. These obligations will not apply to Security Incidents to the extent they are caused by Hero.

9. Audits and Reviews of Compliance.

The parties acknowledge that Hero must be able to assess Kajabi’s compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Kajabi is acting as a processor on behalf of Hero. Kajabi uses internal auditors to verify the adequacy of its security measures with respect to its processing of Hero Data. In the event Applicable Data Protection Laws require audit of Kajabi’s data security practices, Kajabi will work with Hero in good faith, and subject to reasonable confidentiality controls, to comply with audit requirements legally compelled or required under such laws.  If Kajabi is not able to comply with the above referenced audit, Hero, as its sole and exclusive remedy, may terminate the Agreement for convenience with no refunds and Hero will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering document.

10. Impact Assessments and Consultations.

Kajabi will provide reasonable cooperation to Hero in connection with any data protection impact assessment (at Hero’s expense only if such reasonable cooperation will require Kajabi to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Laws.

11. Data Subject Requests.

Kajabi will upon Hero’s request (and at Hero’s expense) provide Hero with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Hero cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Kajabi receives a request from a Data Subject in relation to their Personal Data, Kajabi will advise the Data Subject to submit their request to Hero, and Hero will be responsible for responding to any such request.

12. Return or Deletion of Personal Data

a. Upon termination of the Agreement, Kajabi will initiate its purge process to delete or anonymize the Personal Data within a commercially reasonable timeframe. You may also request, within 60 days of termination, that Kajabi return such Personal Data. Termination or expiration of the Agreement serves as instruction for Kajabi to delete all Personal Data within a commercially reasonable timeframe. 

b. Notwithstanding the foregoing, Hero understands that Kajabi may retain Hero Data if required by law, and such data will remain subject to the requirements of this Addendum.

13. International Provisions

a. Processing in the United States.  Hero acknowledges that, as of the Effective Date, Kajabi’s primary processing facilities are in the United States.  Notwithstanding the foregoing, Hero acknowledges that Kajabi may in connection with the provision of Services, need to transfer and process Hero data to and in the United States and anywhere else in the world where Kajabi and its Subprocessors maintain data processing operations. Kajabi will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this Addendum.

b. Jurisdiction Specific Terms.  To the extent that Kajabi Processes Personal Data originating from and protected by Applicable Data Protection Laws in one of the Jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this Addendum.

c. Cross Border Data Transfer Mechanism.  To the extent that Hero’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area (“EEA”), the United Kingdom (“UK”), Switzerland or any other jurisdiction listed in Schedule 3) to Kajabi located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Schedule 3 (Cross Border Transfer Mechanisms) will apply.

SCHEDULE 1

SUBJECT MATTER & DETAILS OF PROCESSING

1. Nature and Purpose of the Processing. Kajabi will process Personal Data as necessary to provide the Services under the Agreement. Kajabi does not sell Personal Data (or end user information within such Personal Data) and does not share such end users’ information with third parties for compensation or for those third parties’ own business interests.

a. Customer Data. Kajabi will process Customer Data as a processor in accordance with Hero’s instructions as outlined in Section 6.a (Hero Instructions) of this Addendum.

b. Service-Generated Data and Contact Data. Kajabi will process Service-Generated Data and Contact Data as a controller for the purposes outlined in Section 4.b (Kajabi as Controller) of this Addendum.

2. Processing Activities.

a. Customer Data. Customer Data will be subject to the following basic processing activities: the provision of Services and disclosures in accordance with the Agreement and/or as compelled by applicable laws.

b. Service-Generated Data and Contact Data. Personal Data contained in Service-Generated Data and Contact Data will be subject to the following processing activities by Kajabi:  Kajabi may use Service-Generated Data and/or Contact Data to operate, improve and support the Services, to provide marketing and service-related messages, and for other lawful business practices, such as analytics, benchmarking and reporting.

3. Duration of the Processing.  The period for which Personal Data will be retained and the criteria used to determine that period is as follows:

a. Customer Data. Prior to the termination of the Agreement, Kajabi will process stored Customer Data for the purpose of providing the Services until Hero elects to delete such Customer Data via the Platform or in accordance with the Agreement.  

b. Service-Generated Data and/or Contact Data.  Upon termination of the Agreement, Kajabi may retain, use and disclose Service-Generated Data and/or Contact Data for the purposes set forth above in Section 2.b (Services-Generated and Contact Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement.  Kajabi will anonymize or delete Personal Data contained within Service-Generated Data and/or Contact Data when Kajabi no longer requires it for the purpose set forth in Section 2.b (Service-Generated Data and/or Contact Data) of this Schedule 1.

4. Categories of Data Subjects.

a. Customer Data. Individuals whose Personal Data is included in Customer Data.

b. Service-Generated Data and Contact Data: Hero’s Permitted Users with access to a Kajabi account, Heroes, suppliers, and end users.

5. Categories of Personal Data.  

a. Personal Data. The categories of Personal Data are: any Personal Data that Hero, or third-parties acting on their behalf, may submit to Kajabi in connection with the performance of the Service, to the extent of which is exclusively determined and controlled by the Hero.

b. Service-Generated Data and Contact Data.  Kajabi processes Personal Data within Service-Generated Data and/or Contact Data, such as name, email address, phone number, account preferences, and content of communications with any support services.

6. Sensitive Data or Special Categories of Data.  

a. Customer Data.  Heroes are prohibited from including sensitive data or special categories of data in Customer Data.

b. Service-Generated Data and Contact Data.  Sensitive Data is not contained in Service-Generated Data and/or Contact Data.  

SCHEDULE 2

TECHNICAL & ORGANIZATIONAL SECURITY MEASURES

Where applicable, this Schedule 2 will serve as Annex II to the Standard Contractual Clauses. The following provides more information regarding Kajabi’s technical and organizational security measures set forth below.

Technical and Organizational Security Measures:

1. Measures of pseudonymization and encryption of personal data.

Personal Data is encrypted in transit, at rest and protected by role-based access controls.

2. Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.

Kajabi's Hero agreements contain strict confidentiality obligations. Additionally, Kajabi requires every downstream Subprocessor to sign confidentiality provisions that are substantially similar to those contained in Kajabi's Hero agreements. Kajabi ensures that Customer Data is restricted to business responsibilities or subject matter experts.

3. Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

Kajabi ensures that all backups are analyzed to ensure successful recovery and maintain required availability. Backups are stored within the encrypted production environment to preserve their confidentiality and integrity. Best practices are employed within our infrastructure to ensure resiliency and ease of recovery in the event of an incident. Tests are conducted at least annually.

4. Processes for regular testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of processing.

Kajabi ensures effectiveness of technical and organizational measures via internal and external assessments. 

5. Measures for user identification and authorization.

Kajabi personnel are required to use unique user access credentials and passwords for authorization. Kajabi follows the principles of least privilege through role-based models when provisioning system access. Kajabi personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval prior to access provisioning. Access is promptly removed upon role change or termination.

6. Measures for the protection of data during transmission.

Customer Data is encrypted in transit and protected by role-based access controls. 

7. Measures for the protection of data during storage.

Customer data is encrypted at rest and protected by role-based access controls. 

8. Measures for ensuring physical security of locations at which personal data are processed.

Kajabi is hosted in certified data centers that meet the requirements of ISO 27001, PCI DSS Service Provider Level 1, and SOC 2. Physical security controls at our data centers include but are not limited to 24x7 monitoring, surveillance cameras, visitor logs, and stringent entry requirements. 

9. Measures for ensuring events logging.

Kajabi monitors access to applications, tools, and resources that process or store Customer Data, including user activity, administrator and privileged user activity, processing activity, network and firewall activity, audit activity and scanning. Monitoring of security logs is centralized by the security team. Log activities are investigated when necessary and escalated appropriately.

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Kajabi personnel. Logs are preserved in accordance with regulatory requirements. 

10. Measures for ensuring systems configuration, including default configuration.

Kajabi implements a baseline configuration for its computer and network devices that includes but is not limited to: (a) removing and disability unnecessary user accounts; (b) changing default or guessable account passwords; (c) authenticating users before enabling internet-based access to sensitive data or critical data. 

Our development team employs secure coding techniques and best practices, focused around mitigating risk to the OWASP Top Ten. Developers are trained in secure web application development practices regularly. Development, testing, and production environments are logically segmented. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.

11. Measures for internal IT and IT security governance and management.

Kajabi maintains a risk-based assessment security program. The framework for Kajabi’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Kajabi’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Kajabi’s business operations. Kajabi has dedicated Privacy & Security personnel, who focus on application, network, and system security. These individuals are responsible for security compliance, education, and incident response. Further, these individuals are integrated throughout the organization and provide strategic guidance on best practices regularly. 

12. Measures for certifications/assurance of processes and products.

Kajabi conducts various internal and third-party audits to attest to various frameworks.

13. Measures for ensuring data minimization.

Kajabi Heroes unilaterally determine what Customer Data they route through the Kajabi Services and how the Services are configured. As such, Kajabi operates on a shared responsibility model. Kajabi provides tools within the Services that gives Heroes control over exactly what data enters the platform.

14. Measures for ensuring data quality.

Hero shall have sole responsibility for the accuracy, quality, and legality of the Customer Data and the means by which Hero acquired the Customer Data. Data that is processed is monitored by Kajabi to ensure it is accurate, complete and reliable for purposes of providing the Services and Platform. 

15. Measures for ensuring limited data retention.

Heroes unilaterally determine what Customer Data they route through the Kajabi Services and how the Services are configured. As such, Kajabi operates on a shared responsibility model. If a Hero is unable to delete Customer Data via the self-services functionality of the Services, then Kajabi deletes Customer Data upon the Hero's written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law.

16. Measures for ensuring accountability.

Kajabi has adopted measures for ensuring accountability, such as implementing data protection policies across the business, maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data, and appointing a Data Protection Officer. Additionally, Kajabi conducts third-party audits to ensure compliance with our privacy and security standards.

17. Measures for allowing data portability and ensuring erasure.

Kajabi's Heroes have direct relationships with their end users and are solely responsible for responding to requests from their end users who wish to exercise their rights under Applicable Data Protection Laws. Kajabi has built-in self-service functionality to the Services that allow Heroes to delete and suppress Personal Data, with product documentation available at this page.  If a Hero is unable to use such self-service functionality, Kajabi specifies in the Data Protection Addendum that it will provide assistance to such Hero as may reasonably be require to comply with Hero's obligations under Applicable Data Protection Laws to respond to requests from individuals to exercise their rights under Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection). If Kajabi receives a request from a Data Subject in relation to their Personal Data, Kajabi will advise the Data Subject to submit their request to Hero, and Hero will be responsible for responding to any such request.

18. For transfers to [sub]-processors, also describe the specific technical and organisational measures to be taken by the [sub]-processor to be able to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the data exporter.

When Kajabi engages a sub-processor under this Addendum, Kajabi and the sub-processor enter into an agreement with data protection terms substantially similar to those contained herein. Each sub-processor agreement must ensure that Kajabi is able to meet its obligations to Hero.  In addition to implementing technical and organisational measures to protect personal data, sub-processors must a) notify Kajabi in the event of a Security Incident so Kajabi may notify Hero; b) delete data when instructed by Kajabi in accordance with Hero’s instructions to Kajabi; c) not engage additional sub-processors without authorization; d) not change the location where data is processed; or e) process data in a manner which conflicts with Hero’s instructions to Kajabi.

SCHEDULE 3

CROSS BORDER DATA TRANSFER MECHANISM

1. Definitions

a “Standard Contractual Clauses” means the 2021 Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. The 2021 Standard Contractual Clauses.

 For data transfers from the European Economic Area, the UK, and Switzerland that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will apply in the following manner:

a. Module One (Controller to Controller) will apply where Hero is a controller of Service-Generated Data and/or Contact Data and Kajabi is a controller of Service-Generated Data and/or Contact Data.  
b. Module Two (Controller to Processor) will apply where Hero is a controller of Customer Data and Kajabi is a processor of Customer Data;
c. Module Three (Processor to Processor) will apply where Hero is a processor of Customer Data and Kajabi is a sub-processor of Customer Data;
d. For each Module, where applicable:

(i) in Clause 7, the option docking clause will not apply;

(ii) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set forth in Section 7 (Subprocessing) of this Addendum;

(iii) in Clause 11, the optional language will not apply;

(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Irish law.

(v) in Clause 18(b), disputes will be resolved before the courts of Ireland;

(vi) In Annex I, Part A:  

Data Exporter:  Hero and authorized Affiliates of Hero.

Contact Details:  Hero’s account owner email address, or to the email address(es) for which Hero elects to receive privacy communications.

Data Exporter Role:  The Data Exporter’s role is outlined in Section 4 of this Addendum.

Signature & Date:  By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

Data Importer:  Kajabi, LLC

Contact Details: Kajabi Privacy Team – privacy@kajabi.com.

Data Importer Role: The Data Importer’s role is outlined in Section 4 of this Addendum.

Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.

(vii) In Annex I, Part B:

The categories of data subjects are described in Schedule 1, Section 4.

The sensitive data transferred is described in Schedule 1, Section 6.

The frequency of the transfer is a continuous basis for the duration of the Agreement.

The nature of the processing is described in Schedule 1, Section 1.

The purpose of the processing is described in Schedule 1, Section 1.

The period of the processing is described in Schedule 1, Section 3.

For transfers to sub-processors, the subject matter, nature, and duration of the processing is outlined at our Subprocessor Page

(viii) In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority.

(ix) Schedule 2 serves as Annex II of the Standard Contractual Clauses.

4. As to the specific modules, the parties agree that the following checked modules apply, as the circumstances of the transfer may apply:

  • Controller-Controller - Module One
  • Controller-Processor - Module Two
  • Processor-Processor - Module Three

5. To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the provisions of the Standard Contractual Clauses will prevail.

SCHEDULE 4

JURISDICTION SPECIFIC TERMS

1. California

a. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (“CCPA”).

b. The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.  

c. With respect to Personal Data, Kajabi is a service provider under the CCPA.

d. Kajabi will not (a) sell Personal Data; (b) retain, use or disclose any Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Personal Data outside of the direct business relationship between Kajabi and Hero.

e. The parties acknowledge and agree that the Processing of Customer Data authorized by Hero’s instructions described in Section 6 of this Addendum is integral to and encompassed by Kajabi’s provision of the Services and the direct business relationship between the parties.

f. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the parties acknowledge and agree that Kajabi’s access to Customer Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.

g. To the extent that any Service-Generated and/or Contact Data (as defined in the Agreement) is considered Personal Data, Kajabi is the business with respect to such data and will Process such data in accordance with its Privacy Policy, which can be found at https://kajabi.com/policies/privacy.

2. EEA

a. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679)(“GDPR”).

b. When Kajabi engages a Subprocessor under Section 7 (Subprocessing), it will:

(i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

c. GDPR Penalties. Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

3. Switzerland

a. The definition of “Applicable Data Protection Laws” includes the Swiss Federal Act on Data Protection.

b. When Kajabi engages a Subprocessor under Section 7 (Subprocessing), it will

(i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.

4. United Kingdom

a. References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

b. When Kajabi engages a Subprocessor under Section 7 (Subprocessing), it will:

(i) require any appointed Subprocessor to protect Personal Data to the standard required by Applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

(ii) require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data on terms equivalent to the Standard Contractual Clauses.