Skip to main content

Data Processing Agreement

last updated December 22, 2022

This Data Processing Agreement (the “DPA”) is entered into between Customer and Calm. This DPA applies where Calm Processes Customer Data as a processor on behalf of Customer, the controller, in connection with providing the Services.

1. DEFINITIONS

Capitalized terms not defined below will have the meanings set forth in Attachment 1 to this DPA.

2. DATA PROCESSING AND PROTECTION

2.1 Limitations on Use.

Calm will Process Customer Data only: (a) in a manner consistent with documented instructions from Customer, including with regard to transfers of Customer Data to a third country, which will include Processing (i) as authorized or permitted under your agreement with Calm, including as specified in Attachment 2 to this DPA, and (ii) consistent with other reasonable instructions of Customer, provided that Processing pursuant to such other instructions may be subject to additional fees; and (b) as required by Data Protection Law, provided that Calm will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law. Without limiting the foregoing, Calm will not: (x) retain, use, or disclose the Customer Data (i) outside of the direct business relationship between the parties or (ii) for any purpose other than for the specific purpose of performing the Services, including retaining, using, or disclosing the Customer Data for a commercial purpose other than providing the Services, (y) sell or share (as defined by Data Protection Law) the Customer Data; or (z) combine Customer Data with personal data Company receives from individuals or other customers, except as permitted by Data Protection Law.

2.2 Compliance.

Each party will comply with its obligations under Data Protection Law. Calm shall notify Customer within 5 business days of determining that it cannot meet its obligations under Data Protection Law. Upon receiving written notice from Customer that Calm has Processed Customer Data without authorization, Calm will take reasonable and appropriate steps to stop and remediate such Processing.

2.3 Confidentiality.

Calm will ensure that persons authorized by Calm to Process any Customer Data are subject to appropriate confidentiality obligations.

2.4 Security.

Calm will implement measures to protect Customer Data that meet or exceed applicable requirements under Data Protection Law, including, as applicable, requirements under Article 32 of the GDPR.

These measures include technical and organizational measures described in Attachment 3, such as the use of firewalls, access control protocols, business continuity measures, penetration tests and patch management protocols.

2.5 Disposal.

Calm will delete all Customer Data after the end of the provision of Services unless Data Protection Law requires the storage of such Customer Data by Calm, in which case Calm will only further retain and process such Customer Data for the limited duration and purposes required by such Data Protection Law.

3.ASSISTANCE

3.1 Data Subject’s Rights Assistance.

Taking into account the nature of the Processing, Calm will reasonably assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising any individual’s privacy or data protection rights provided under Data Protection Law, including rights laid down in Chapter III of the GDPR.

Customer will inform Company of any Data Subject request that Company must comply with and provide the information necessary for Company to comply with the request.

3.2 Security and Assistance.

Taking into account the nature of Processing and the information available to the Calm, Calm will reasonably assist Customer in ensuring compliance with its security obligations under Article 32 of the GDPR.

3.3 Customer Data Breach Notice and Assistance.

Calm will notify Customer of any Customer Data Breach without undue delay after becoming aware of such Customer Data Breach. Taking into account the nature of Processing and the information available to Calm, Calm will assist Customer in ensuring compliance with Customer’s notification obligations under Data Protection Law in connection with any Customer Data Breach, including in ensuring compliance with Customer’s obligations pursuant to Articles 33 and 34 of the GDPR. Calm’s notification of or response to a Customer Data Breach will not constitute an acknowledgment of fault or liability with respect to the Customer Data Breach.

3.4 Data Protection Impact Assessment Assistance.

Taking into account the nature of Processing and the information available to Calm, Calm will assist Customer in ensuring compliance with the obligations under Articles 35 and 36 of the GDPR.

4.AUDITS

4.1 Calm’s Audit Reports.

To help Customer assess Calm’s compliance with the terms of this DPA, upon Customer’s request, Calm will make available to Customer copies of, or extracts from, Calm’s audit reports related to security (for example, its SOC 2 report).

4.2 Customer’s Audit Rights.

Calm will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to verify Calm’s compliance with this DPA if such an audit is required by Data Protection Laws and Calm’s compliance cannot be demonstrated by means that are less burdensome on Calm (including under Section 4.1). In connection with any such audit, the auditor will: (a) observe reasonable on site access and other restrictions reasonably imposed by Calm, including that such audit must occur during Calm’s normal business hours; (b) comply with reasonable and applicable on site policies and procedures provided by Calm; and (c) not unreasonably interfere with Calm’s business activities. Customer will provide written communication of any audit findings to Calm, and the results of the audit will be the Confidential Information of Calm. Customer will provide no less than 30 days’ advance notice of its request for any such audit, and will cooperate in good faith with Calm to schedule any such audit on a mutually agreed-upon date and time (such agreement not to be unreasonably withheld by either party). Customer may not make more than one such request in a calendar year, unless such request is required by a competent supervisory authority. Customer will be responsible for all costs associated with any such audits.

5.SUBPROCESSORS

Customer authorizes Calm to use subcontractors set forth in Attachment 4 to Process Customer Data in connection with the provision of Services to Customer (“Subprocessor”). Calm will notify Customer of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. Customer will notify Calm in writing of any such objection within 10 days of receipt of Calm’s written notice of the change or will waive its right to object. If Customer provides written notice of its objection within such period and Calm determines it cannot accommodate such objection, Calm may terminate your agreement upon notice to Customer without liability. Calm will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Calm will remain liable for any acts or omissions of its Subprocessors as it would for its own acts and omissions.

6.DATA TRANSFERS

6.1 Overview.

The transfer of EEA, UK, and Swiss residents’ Customer Data to a country not subject to an adequacy decision (a “Data Transfer”) will be subject to the SCCs, which are incorporated and deemed executed by this reference. If an alternative transfer mechanism for legitimizing Data Transfers (an “Alternative Mechanism”) becomes available during the term of this DPA, and Calm notifies Customer that Data Transfers can be conducted in compliance with Data Protection Law pursuant to the Alternative Mechanism, the parties will rely on the Alternative Mechanism to legitimize Data Transfers instead of the provisions that follow.

6.2 SCCs.

The parties agree to comply with the general clauses and with Module 2 (Controller to Processor) of the SCCs (which are deemed executed as of the effective date of this DPA) with Customer as the “data exporter” and Calm as the “data importer.”

6.3 Transfers Subject to Swiss Data Protection Law.

If any Customer Data subject to the Swiss Federal Act on Data Protection of 19 June 1992 (the “FADP”) is subject to a Data Transfer, the parties will conduct such transfer pursuant to the SCCs with the following modifications: the competent supervisory authority in Annex I.C under Clause 13 shall be the Federal Data Protection and Information Commissioner insofar as the data transfer is governed by the FADP; references to a “Member State” and “EU Member State” will not be read to prevent data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and references to “GDPR” in the SCCs will be understood as references to the FADP.

6.4 Transfers Subject to the UK GDPR.

Any Customer Data that is subject to the UK GDPR and a Data Transfer will be subject to the UK IDTA, which is incorporated by this reference. Neither party can terminate the UK IDTA pursuant to Table 4 and Section 19 thereof without the written consent of the other.

Attachment 1

Definitions

For purposes of this DPA, the following terms will have the meaning ascribed below:

Customer” means the entity accessing the Calm mobile application and related websites.

Customer Data” means any identifying information (such as name, email address, employee ID number, or other identifying information designated by Customer) of an applicable User that is provided by Customer to Calm to verify the eligibility of individuals to receive the Services.

Customer Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.

Data Protection Law” means any and all privacy, security and data protection laws and regulations that apply to the Customer Data Processed by Calm pursuant to your agreement, including, as applicable, the GDPR, Member State laws implementing the GDPR, the UK GDPR, the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Virginia Consumer Data Protection Act.

GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Process” or “Processing” means any operation or set of operations which is performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “SCCs” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on SCCs for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914, as may be replaced or superseded by the European Commission. The parties make the following choices for implementing the SCCs:

Services” means the services provided by Calm to Customer of verifying eligibility of individuals to receive the Calm services, access to the Calm mobile application and related website that provides a variety of audio and/or visual mental resiliency content.

UK GDPR” means the GDPR as incorporated into United Kingdom law by the Data Protection Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (each as amended, superseded, or replaced).

UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B### 1.0, in force 21 March 2022, available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf. The information needed to complete the Tables to the UK IDTA is provided in the Attachments to this DPA.

Attachment 2

Scope of Processing

Subject-Matter and Duration of Processing

Calm Processes Customer Data in connection with the subject matter specified under your agreement and until your agreement terminates or expires, unless otherwise agreed upon by the parties in writing.

Nature and Purpose of Processing (i.e., Processing operations)

Customer has agreed to pay for certain individuals to receive a discount to use Calm’s services (“Discount”). Customer may from time to time provide Customer Data, including limited personal data regarding eligible individuals, so that individuals to whom Customer wants to provide a Discount can register for a Calm account. To provide Customer Data to Calm, Customer may from time to time (i) provide an eligibility file to Calm containing names, and email addresses, and other related information of the individuals to whom it wants to provide the Discount; (ii) work with Calm to establish a Single Sign-On (SSO) or Application Programming Interface (API) connection between Customer’s website and Calm’s services; or (iii) use such other methods as agreed upon by the parties. Calm will use the Customer Data it receives to: determine if the registering individual should receive the Discount; communicate with the individual regarding the Discount; provide Customer and user support, including help with Discount issues; and, subject to Customer’s choices in Partner Portal and feature availability, send emails to individuals on Customer’s behalf to promote the availability of the Discount.

Types of Personal Data

The personal data subject to this DPA includes the unique identifier (email address, employee ID, or other non-sensitive identifier as determined by Customer) provided by Customer to Calm, as well as any additional data Customer appends for segmented data reporting purposes. Calm will be the controller of any personal data Calm collects from any individual User, and such data may include name and email address that overlaps with information contained within the eligibility data provided by Customer.

Categories of Data Subjects

Individuals that Customer wishes to provide the Discount, as determined by Customer. Special Categories of Data (if appropriate) None.

Data exporter (if applicable)

Customer is a company that wishes to help promote use of Calm’s services by certain individuals.

Data importer (if applicable)

Calm is an operator of consumer-facing web and mobile applications that provide music, stories, meditations and other content.

Frequency of Transfers

Calm will import Customer Data on a continuous basis.

Period of Data Retention

Calm will retain the Customer Data until the termination of the Agreement, unless otherwise agreed to by the parties.

Attachment 3

Security of Customer Data

Calm employs the following technical and organizational measures to protect Customer Data:

1. Calm Data Governance.

Calm maintains appropriate policies and procedures to safeguard Customer Data. It regularly commissions independent audits of its compliance with such policies as part of its SOC 2 Type II certification and will make summaries of its audit reports available to Customer pursuant to Section 4 (Audits) of the DPA.

2. Calm Systems.

Calm has implemented reasonable measures designed to help prevent and detect unauthorized access to the Calm systems used to process Customer Data, including:

  • implementation and maintenance of a number of policies and training to inform staff about their obligations to access Customer Data and supporting systems only to the extent necessary to perform their job duties (e.g., need-to-know and the principle of least access), handle sensitive information, or report an incident, as well as the consequences for violation of such obligations;
  • requiring individual account credentials such as user IDs that, once assigned, are not reassigned to another person;
  • procedures limiting the release of Customer Data only to authorized persons;
  • implementation and maintenance of a role-based access policy and related protective measures;
  • utilization of credentials (passwords) for Calm systems with enforced complexity requirements of at least eight characters or the system maximum permitted number and required modification of such credentials at first use and thereafter at least every 120 days;
  • automatic disabling of individual account credentials when several erroneous passwords are entered and maintenance of a log file of events, including monitoring of brute force attacks;
  • automatic deactivation of staff member authentication credentials in case of non use for a defined period of time, except for those authorized solely for technical management and subject to alternate monitoring and reviews;
  • revocation of access rights upon termination of staff;
  • identification of the machine and/or staff member accessing Calm systems;
  • dedication of individual machines and/or staff members to specific functions, where appropriate;
  • controlling and monitoring the use of administrative privileges;
  • limitations and controls on Calm network ports, protocols, and services;
  • implementation and maintenance of anti-virus scanning, intrusion detection systems, and other malware defenses on and for Calm networks and systems;
  • end-point monitoring and centralized log collection, analysis, and anomaly detection; and
  • risk-based implementation of industry standard encryption technologies.

3. Cloud Security.

Calm leverages AWS as its primary cloud-hosting partner, a recognized industry-leading cloud hosting platform that is SOC, HIPAA, NIST, and ISO compliant, among other such certifications. Our service selections and configuration choices with respect to AWS also reflect our conscientious security approach. For example, we may utilize, as appropriate:

  • AWS Inspector for vulnerability scanning;
  • AWS Shield for DDoS mitigation;
  • AWS WAF for application firewall;
  • AWS GuardDuty for IDS;
  • AWS Cloudtrail to monitor network and API activity for anomalies in our cloud environments;
  • AWS SSE & KMS for encryption at rest;
  • AWS ACM for SSL certification management;
  • AWS ALB’s for TLS termination and cipher policy enforcement;
  • AWS ECR Container Scanning for static container analysis;
  • AWS Config for policy enforcement and monitoring; and
  • AWS Security Hub for further monitoring and alerting of common security issues.

4. Calm Asset Management.

Calm has implemented reasonable measures designed to help ensure reasonable control and configuration of Calm-owned hardware and software assets, including:

  • conducting and maintaining an inventory of Calm hardware assets;
  • conducting and maintaining an inventory of Calm software assets;
  • assessing risk-appropriate configurations to Calm hardware and software on mobile devices, laptops, workstations, and servers;
  • changing default passwords prior to deploying any new Calm hardware asset; and
  • maintaining a reasonable vulnerability scanning and management program.

5. Calm Application Software Security.

Calm has implemented reasonable measures designed to help address privacy and security considerations in the development of its code for the Calm platform, including:

  • separating production and non-production systems;
  • implementing standardized coding practices and code reviews appropriate to the programming language and development environment;
  • ensuring development staff receive training regarding secure coding practices, vulnerabilities such as the OWASP Top Ten, and HIPAA and PHI training; and
  • conducting, or engaging a reputable third party to conduct, periodic, risk-based penetration tests of any external or internal websites, applications, and systems used to process Customer Data.

6. Physical Security.

Calm maintains reasonable measures designed to help prevent and detect unauthorized access to the data processing facilities where Customer Data is stored or processed by Calm or its vendors for data center or cloud services, including:

  • establishing security areas, with 24 hour security service provided by the property owner;
  • protecting and restricting access paths;
  • securing data processing equipment; and
  • maintaining appropriate processes applicable to the use of physical access cards or keys.

7. Personnel.

Calm has implemented reasonable technical and organizational measures to help ensure its staff are subject to a contractual or statutory obligation of confidentiality and are regularly trained regarding privacy and security.

Attachment 4

Subprocessors

| Subprocessor Name | Services Performed | Countries where Subprocessor will Process Customer Personal Data | Cross-Border Data Transfer Mechanism | | ------------------------- | ------------------------------------ | ---------------------------------------------------------------- | ------------------------------------ | | Amazon Web Services, Inc. | Web-hosting | United States | SCCs | | Amplitude, Inc. | Analytics | United States | SCCs | | Google, LLC | Communication and productivity tools | United States | SCCs | | Iterable, Inc. | Email delivery and measurement | United States | SCCs | | Okta, Inc. | User authentication | United States | SCCs | | Slack Technologies, Inc. | Internal communications | United States | SCCs | | Teleport Inc. | Infrastructure access control | United States | SCCs | | Zendesk, Inc. | Customer service | United States | SCCs |