Everfit Data Processing Agreement
Last updated: Jan 13, 2022
This Data Processing Agreement (“Agreement”) entered into by and between Everfit, Inc. (“Everfit” or “Us”) and you (“Trainer” or “You”), is incorporated into and supplements our Terms of Service and Privacy Policy when Data Protection Laws apply to the processing of Client Data or Trainer Data (as defined below).
When using Everfit Services (as defined in Everfit’s Terms of Service), a Trainer may upload, submit, or otherwise provide content to the Everfit Platform (“Trainer Content”). The Trainer is the owner of their Trainer Content, and the sole Controller of any personal data included in their Trainer Content (“Trainer Data”). Everfit processes Trainer Data on behalf of the Trainer at the Trainer’s direction. Everfit is a Processor, as defined in this Agreement and under applicable law, of Trainer Content and Trainer Data.
To connect Trainers and Clients and enable Trainers to provide services to their Clients, Everfit provides Trainers with access to a limited set of personal data of Clients enrolled in their services (“Client Data”), as specified in our Privacy Policy. Everfit and Trainers may each use Client Data for their own business purposes, at all times subject to the terms of this Agreement, our Terms of Use, and our Privacy Policy. Everfit and Trainers are each independent Controllers, as defined in this Agreement and under applicable law, of Client Data collected by Everfit that is accessed by or transferred to Trainers.
Terms used but not defined in this Agreement can be found in our Terms of Use and/or Privacy Policy. For the avoidance of doubt, this Agreement comprises this Data Processing Agreement, any appendices to it, and the Standard Contractual Clauses (where applicable, and as defined herein).
Definitions.
“Controller” means the entity determining the purpose and the manner in which Personal Information is processed.
“Processor” means an entity that processes Personal Information on behalf of a Controller.
“Data Protection Laws” means all data protection laws and regulations applicable to the processing of Trainer Data and Client Data, including, without limitation, the EU Data Protection Law.
“EU Data Protection Law” means all data protection laws and regulations applicable to the European Union, the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”), including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national legislation implementing the GDPR and Directive 2002/58/EC; and (iii) with respect of the UK, any applicable national legislation that replaces the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, consumer personal data transmitted, stored or otherwise processed.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer for personal data to processors established in third countries, as approved by the European Commission in Decision (EU) 2021/914.
“Sensitive Data” means (i) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof); (ii) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (iii) employment, financial, genetic, biometric or health information; (iv) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (v) account passwords; or (vi) other information that falls within the definition of “special categories of data” under applicable Data Protection Laws.
“Sub-Processor” means any entity engaged by Everfit to provide processing services in furtherance of Everfit’s processing of Trainer Data.
The terms personal data, data subject, and processing shall have the meaning given to them under Data Protection Laws, or if not defined thereunder, the GDPR, and “process, processes and processed shall be interpreted accordingly.
1. Relationship between the Parties.
1.1. The parties acknowledge and agree that Trainer is the Controller and Everfit is a Processor acting on behalf of Trainer with respect to Trainer Data and Client Data collected by the Trainer independent of Everfit, as further described in Schedule A of this Agreement.
1.2. The parties acknowledge and agree that Everfit and Trainer each act as an independent Controller with respect to their particular processing of Client Data that is collected by Everfit and accessed by or transferred to the Trainer. For the avoidance of doubt, Everfit and Trainer are at all times independent Controllers, not joint Controllers, of Client Data.
2. Trainer Obligations as a Controller of Trainer Data.
2.1. Trainer shall (i) comply with all applicable laws, including but not limited to Data Protection Laws, in its use of Everfit Services and its own processing of Trainer Data and Client Data, (ii) ensure that it has, and will continue to have, the right to transfer, or provide access to, Trainer Data and Client Data to Everfit for processing in accordance with our Terms of Service and this Agreement, and (iii) be solely responsible for the accuracy, quality, and legality of Trainer Data and the means by which Trainer acquired Trainer Data.
2.2. Trainer Instructions. Trainer appoints Everfit to process Trainer Data on behalf of, and in accordance with, Trainer’s documented instructions (i) as set forth in our Terms of Service and this Agreement; (ii) as necessary to comply with applicable law; and (iii) as otherwise agreed in writing by the parties. The parties agree that our Terms of Service and this Agreement constitute the Trainer’s documented instructions to Everfit regarding the processing of Trainer Data, and any processing outside the scope of these instructions shall require prior written agreement between the parties. Trainer will ensure that Trainer’s documented instructions relating to Everfit’s processing of Trainer Data will not cause Everfit to violate any applicable laws, including Data Protection Laws.
3. Everfit’s Obligations as Processor of Trainer Data.
3.1. Everfit shall process Trainer Data in accordance with applicable Data Protection Laws and consistent with our Terms of Service, Privacy Policy and this Agreement. Everfit shall only process Trainer Data in accordance with the Trainer’s documented instructions, as outlined in Section 2.2.
3.2. Everfit shall notify the Trainer if it becomes aware of, or reasonably believes that, a documented instruction from the Trainer infringes upon Data Protection Laws.
3.3. Confidentiality. Everfit shall ensure that its employees, authorized agents, and any Sub-Processors authorized to process Trainer Data have agreed to comply with confidentiality obligations with respect to Trainer Data.
3.4. Assistance to Trainer. Everfit shall, taking into account the nature of the processing and the information available to Everfit, provide reasonable assistance to Trainer to enable Trainer to comply with its obligations under applicable Data Protection Laws. Notwithstanding the foregoing, Trainer agrees that it will not cause Everfit to process any personal data that presents a high risk to the rights and freedoms of data subjects.
3.5. Sub-Processors.
3.5.1. Trainers hereby agree and provide a general prior authorization that Everfit and its affiliates may engage sub-processors. Everfit maintains a list of Sub-processors available at http://help.everfit.io/en/articles/5521253-list-of-data-subprocessors.
3.5.2. Trainers consent to Everfit engaging additional or replacement Sub-processors. Everfit shall update the list of Sub-Processors from time to time, subject to Section 3.5.3, to give Trainers an opportunity to object to them.
3.5.3. This Section 3.5.3 will apply only where and to the extent that Trainers are established within the EEA, the United Kingdom or Switzerland or where otherwise required by Data Protection Regulations applicable to you. In such event, Trainers understand and accept that such objection may result in Everfit not being able to fulfill its obligations under our Terms of Services and may result in termination of services.
3.6 Deletion on Termination. Upon termination or expiration of this Agreement, Everfit shall (at the Trainer’s election) export or delete all Trainer Data in its possession or control, except that this requirement shall not apply to the extent Everfit is required to retain some or all of the Trainer Data to comply with its legal obligations, or to Trainer Data it has archived on backup systems, which Everfit shall protect from any further processing and eventually delete in accordance with Everfit’s data retention policies, except to the extent required by applicable law.
3.6.1. Trainer acknowledges and agrees that Everfit will fulfill its obligations to export Trainer Data under this section by providing Trainer the opportunity to download Trainer Content out of the Everfit Platform.
4. Data Subject Requests.
4.1. Client Data. Each party shall respond to data subject requests received by it concerning the processing of applicable Client Data promptly and within the timeframes required by Data Protection Laws. In the event that Trainer receives any data subject requests regarding Client Data, Trainer will promptly (and in any event within three business days) notify Everfit and provide Everfit with a copy of the request. To the extent that Everfit is a Controller of the Client Data that is the subject of such request, Everfit will respond directly to the Client.
4.2. Everfit shall, taking into account the nature of the processing, provide reasonable assistance to Trainer to enable Trainer to comply with its data protection obligations with respect to data subject requests.
5. Security and Compliance Rights
5.1. Security Measures. Taking into account the state of technical developments and the nature of processing, Everfit undertakes to establish and maintain appropriate technical and organizational measures in order to protect Trainer Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access, in accordance with Everfit’s security standards described in Schedule B (“Security Measures”).
5.2. Personal Data Breaches. In the event that Everfit becomes aware of a Personal Data Breach that affects Trainer Data or Client Data, Everfit shall notify Trainer without undue delay of the Personal Data Breach via the email address associated with the Trainer’s primary owner account.
5.3. Compliance Obligations. In order to ensure compliance with the applicable Data Protection Laws, Everfit shall make available to the Trainer information necessary to demonstrate compliance with the legal obligations related to the processing of Trainer Data by Everfit on behalf of the Trainer.
5.3.1. Everfit shall respond to all reasonable requests for information made by Trainer to confirm Everfit’s compliance with this Agreement upon Trainer’s written request to privacy@everfit.com.
5.3.2. Upon written request, Everfit shall supply (subject to confidentiality protections) a summary copy of its most current audit report(s) (“Audit Report”) to Trainer, so that Trainer can verify Everfit’s compliance with the audit standards against which it has been assessed.
5.3.3. Should an audit be requested under applicable Data Protection Laws to assess Everfit’s compliance with the terms of this Agreement, the parties shall select an accredited independent third-party audit firm that is mutually agreeable to both parties. Trainer shall be responsible for all costs, fees, and expenses related to such audit. The scope of the audit shall be limited to Everfit’s compliance with Data Protection Laws as applied under this Agreement. Notwithstanding the foregoing, the audit shall occur during regular business hours, with reasonable advance notice to Everfit, and subject to confidentiality protections. Trainer may not audit Everfit more than once annually.
6. International Transfers
6.1. The Trainer acknowledges and agrees that Everfit may transfer and process personal data in and to servers and databases located in the United States and anywhere else in the world where Everfit, its affiliates, or its Sub-processors maintain their servers, provided that Everfit shall comply with the provisions of applicable Data Protection Laws relating to the transfer.
6.2. To the extent that Everfit transfers Trainer Data protected by EU Data Protection Law, Everfit and Trainer agree to abide by and process Trainer Data in compliance with the Standard Contractual Clauses, which are incorporated in full by reference and form an integral part of this Agreement. For purpose of the Standard Contractual Clauses, Everfit agrees that (i) it is the “data importer” and Trainer is the “data exporter” under Part A of Annex 1 of the Standard Contractual Clauses (notwithstanding that Trainer may itself be an entity located outside the EU); and (ii) Schedule A of this Agreement shall replace Parts B and C Annex 1 of the Standard Contractual Clauses, respectively. The parties further agree that the Standard Contractual Clauses will solely apply to Trainer Data that is transferred via Everfit Services from the EEA, the UK, and/or Switzerland to outside the EEA, the UK, and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Law).
6.3. The Trainer acknowledges and agrees that Everfit shall be entitled to enter into Standard Contractual Clauses with any Sub-processor.
7. Limitation of Liability
7.1. Except as otherwise required under Data Protection Laws, Everfit’s liability under this Agreement is limited to the extent and amount set out in our Terms of Service.
8. Jurisdiction Specific Terms
8.1. To the extent Everfit processes Trainer Data originating from and protected by applicable Data Protection Laws in one of the jurisdictions listed in Schedule C, then the terms specified in Schedule C with respect to the applicable jurisdiction(s) (“Jurisdiction Specific Terms”) apply in addition to the terms of this Agreement. In case of any conflict or ambiguity between the Jurisdiction Specific Terms and any other terms of this Agreement, the applicable Jurisdiction Specific Terms will take precedence.
9. Miscellaneous
9.1. Superseding Agreement. Unless otherwise agreed to between the parties, Trainer acknowledges and agrees this Agreement shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with Everfit Services.
9.2. Severability. If any one or more of the provisions contained in this Agreement is, for any reason, held to be invalid, illegal, or unenforceable in any respect, that invalidity, illegality, or unenforceability will not affect any other provisions of this Agreement, but this Agreement will be construed as if those invalid, illegal, or unenforceable provisions had never been contained in it, unless the deletion of those provisions would result in such a material change so as to cause completion of the transactions contemplated by this Agreement to be unreasonable.
9.3. Assignments. No one other than a party to this Agreement its successors and permitted assignees (as determined in our Terms of Service) shall have any right to enforce any of its terms.
9.4. Conflicts. In the event of any conflict or inconsistency between any of the terms of this Agreement and our Terms of Service, the provisions of the following documents (in order of precedence) shall prevail: (i) the Standard Contractual Clauses (where applicable); (ii) this Agreement; and (iii) our Terms of Service.
9.5. Updates. Everfit may update the terms of this Agreement from time to time, at its sole discretion, provided Everfit gives Trainer reasonable advance notice of the update. Any additional amendments, change or alteration of this Agreement must be made in writing and duly signed by both parties in order to become valid and effective.
9.6. Notices. Unless otherwise specified in this Agreement, each party giving notice or other communication required or permitted under this Agreement shall use one of the following methods of delivery: personal delivery, mail (registered or certified mail, postage prepaid, return-receipt requested), nationally recognized overnight courier (fees prepaid), or email.
9.7. Headings. The descriptive headings of the sections and subsections of this Agreement are for convenience only, and do not affect this Agreement, construction or interpretation.
9.8. Gender/Plural. Whenever such wording may appear in this Agreement, words in the singular shall mean and include the plural and vice versa and words in the feminine shall mean and include the masculine and vice versa.
10. Governing law and Jurisdiction; Disputes and Arbitration dispute
10.1. Unless otherwise required by applicable Data Protection Laws, this Agreement shall be governed in accordance with the laws of the State of California without regard to its conflicts of laws principles. Any action arising out of or relating to this Agreement shall be filed only in the state or federal courts located in the County of San Francisco in the State of California. You consent and submit to the exclusive personal jurisdiction of such courts for the purpose of litigating any such action.
10.2. Any dispute, controversy, proceeding, or claim arising out of or in connection with or relating to this Agreement shall be resolved by binding confidential arbitration by JAMS pursuant to its Optional Expedited Arbitration Procedures then in effect for JAMS. The arbitration will be conducted in New York County, New York, unless Trainer and Everfit agree otherwise. Any judgment on the award rendered by the arbitrator may be entered in any court of competent jurisdiction.
Schedule A: Details of Processing
Everfit’s Processing of Trainer Data under this Agreement shall be in accordance with this Schedule A.
| B. DESCRIPTION OF TRANSFER | ||
| Data subjects | ||
| The Personal Data transferred concern the following categories of data subjects: | Trainers and Clients, as described in this Agreement. | |
| Categories of data | ||
| The Personal Data transferred concern the following categories of data: | A Trainer may upload, submit, or otherwise provide certain personal data to the Platform, the extent of which is typically determined and controlled by the Trainer, in its sole discretion. The type of data subjects and categories of personal data included will depend on the nature of the Trainer Content, and may include personal data about the Trainer and/or third parties Clients, such as biographical and contact information | |
| Sensitive data transferred (if appropriate) | ||
| The Personal Data transferred concern the following sensitive data: | – Biometric data processed solely to identify users;
– Health-related data |
|
| The sensitive data transferred will be subject to the following applied restrictions and safeguards that fully take into consideration the nature of the data and the risks involved: | Strict purpose limitation, encryption, access restrictions, keeping a record of access to the data, restrictions for onward transfers and additional security measures. | |
| Frequency of the transfer | ||
| (e.g. whether the data is to be transferred on a one-off or continuous basis): | Continuous basis. | |
| Nature of the processing | ||
| The Personal Data transferred will be subject to the following basic processing activities: |
|
Everfit provides an open online content creation platform and additional services and tools to allow Trainers to offer coaching, education, and other services to their Clients. Trainers may upload, submit, or otherwise provide Trainer Content to the Everfit Platform in connection with their use of Everfit Services. |
| Purpose(s) of the data transfer and further processing |
|
|
| The Personal Data is transferred for the following purpose(s): |
|
Everfit will process any personal data that is included in Trainer Content (“Trainer Data”) only in accordance with Trainer’s documented instructions, including to (i) provide Everfit Services, in accordance with our Terms of Service; (ii) to comply with any other reasonable instructions provided by Trainer that are consistent with our Terms of Service; and (iii) to comply with any applicable law. |
| The period for which the personal data will be retained |
|
|
| If that is not possible, the criteria used to determine that period: |
|
The duration of the Services as described in the Agreement, unless otherwise stated in the Agreement. Everfit will store Trainer Data in accordance with Section 3.6 of this Agreement (Term and Termination). |
| Transfers to subprocessors |
|
|
| Specify the subject matter, nature and duration of the processing: |
|
Transfers to Sub-processors will occur where necessary for the provision of the Services in accordance with Section 3.5 of this Agreement (Sub-processors). |
| C. COMPETENT SUPERVISORY AUTHORITY | ||
| Competent supervisory authority/ies in accordance with Clause 13: |
|
Irish Data Protection Commissioner. |
Schedule B: Security Measures
The Security Measures applicable to the Everfit Platform are described here (as updated from time to time in accordance with Section 5.1 of this Agreement).
Schedule C: Jurisdiction-Specific Terms
California:
- The definitions of: “Controller” includes “Business”; “Sub-Processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the California Consumer Privacy Act (“CCPA”).
- Everfit’s obligations regarding data subject requests, as described in Section 4 of this Agreement, apply to Consumers’ rights under the CCPA.
- For this “California” section of Schedule C only, Trainer’s documented instructions shall include, in addition to the purposes set out in Section 2.2, processing of Trainer Data as may be permitted for “service providers” under CCPA.
- Everfit agrees not to (i) sell (as defined by the CCPA) Trainer Data or Client Data or (ii) retain, use, or disclose Trainer Data outside of the scope of this Agreement and our Terms of Service.