U.S. Privacy Law Addendum (Processor Form)

Revision Date

February 14, 2024

This United States Privacy Law Addendum (the “Addendum”) supplements the Terms of Service (the “Agreement”) entered into by and between Customer and OpenPhone (and, collectively, the “Parties”) and includes the terms required by the applicable Privacy Laws (defined below). Any terms not defined in this Addendum shall have the meaning set forth in the Agreement.

1. Definitions

  • 1.1 Authorized Subprocessor” means a third-party subprocessor, subcontractor, agent, reseller, or auditor engaged by Vendor, or employee of the same, that has a need to know or otherwise access OpenPhone’s Personal Data to enable OpenPhone to perform its obligations under this Addendum or the Agreement, and that has been previously approved by Customer in accordance with Section 4.1 of this Addendum, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.
  • 1.2 “OpenPhone Account Data” means Personal Data that relates to OpenPhone’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. OpenPhone Account Data also includes any data OpenPhone may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
  • 1.3 “OpenPhone Usage Data” means Service usage data collected and processed by OpenPhone in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
  • 1.4 “Consumer” means a natural person who is a resident of, as applicable: (1) California, however identified, including by any unique identifier; or (2) Colorado, Virginia, or Utah acting only in an individual or household context; or Connecticut, acting only in an individual context.
  • 1.5 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes a “Business” as defined by the CCPA.
  • 1.6 “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable Consumer that is processed by OpenPhone on behalf of the Customer pursuant to the Agreement. “Personal Data” includes “Personal Information” or “Personal Data” as defined by the applicable Privacy Law.
  • 1.7 “Privacy Laws” means, as applicable, (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) the Colorado Privacy Act (“CPA”), (iv) the Connecticut Data Privacy Act (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”) in each case as updated, amended or replaced from time to time.
  • 1.8 “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
  • 1.9 “Processor” means a natural or legal entity that Processes Personal Data on behalf of a Controller or a Business. “Processor” includes “Service Provider,” and “Contractor,” as defined by applicable Privacy Laws.

2. Nature and Purpose of Processing

  • 2.1 Nature and Purpose of Processing: Except with respect to OpenPhone Account Data and OpenPhone Usage Data, the OpenPhone shall Process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause OpenPhone to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to OpenPhone by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to OpenPhone regarding the processing of such Personal Data. Customer shall not provide or make available to OpenPhone any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify OpenPhone from all claims and losses in connection therewith. Such purposes shall include the services set forth in the Order Form and/or Agreement.
  • 2.2 Duration of Processing: OpenPhone shall Process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.
  • 2.3 Categories of Consumers: The OpenPhone may Process the following categories of Personal Data provided by Customer: Customer’s end-users, customers, prospects, and employees.
  • 2.4 Categories of Personal Data: OpenPhone may Process the following categories of Personal Data provided by Customer: [name, location, email address, phone number, address, occupation, title, call recordings, call transcriptions.
  • 2.5. Customer Obligations Regarding Personal Data: Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to OpenPhone by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to OpenPhone regarding the processing of such Personal Data. Customer shall not provide or make available to OpenPhone any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify OpenPhone from all claims and losses in connection therewith.

3. Audits

  • 3.1 To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, OpenPhone shall either (1) make available for Customer’s review copies of certifications or reports demonstrating OpenPhone’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer under the Agreement, or (2) if the provision of reports or certifications pursuant to (1) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of the OpenPhone’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to OpenPhone’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to OpenPhone for any time expended for on-site audits.

4. Authorized Subprocessors

  • 4.1 A list of OpenPhone’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer.  Such List may be updated by OpenPhone from time to time.  OpenPhone may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, OpenPhone will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing OpenPhone within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent OpenPhone from offering the Services to Customer.
  • 4.2 If Customer reasonably objects to an engagement in accordance with Section 4.1, and OpenPhone cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to OpenPhone.  Discontinuation shall not relieve Customer of any fees owed to OpenPhone under the Agreement.
  • 4.3 If Customer does not object to the engagement of a third party in accordance with Section 4.1 within ten (10) days of notice by OpenPhone, that third party will be deemed an Authorized Sub-Processor for the purposes of this Addendum.
  • 4.4 OpenPhone will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on OpenPhone under this Addendum with respect to the protection of Personal Data.  In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with OpenPhone, OpenPhone will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.

5. Security of Personal Data

  • 5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, OpenPhone shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.

6. Consumer Requests

  • 6.1 OpenPhone shall, to the extent permitted by law, notify Customer upon receipt of a Verifiable Consumer Request, as defined in the applicable Privacy Laws. If OpenPhone receives a request from a Consumer in relation to Customer’s data, OpenPhone shall advise Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that any Verifiable Consumer Requests are communicated to OpenPhone, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.

7. California-Specific Terms

  • 7.1 Additional Definitions
  • 7.1.1 For purposes of this Section 7, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.
  • 7.2 Obligations
  • 7.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Information subject to the CCPA.
  • 7.2.2 Except with respect to OpenPhone Account Data and OpenPhone Usage Data (as defined in the Addendum), the parties acknowledge and agree that OpenPhone is a Service Provider for the purposes of the CCPA (to the extent it applies) and OpenPhone is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.
  • 7.2.3 OpenPhone shall not Sell or Share Personal Information provided by Customer under the Agreement.
  • 7.2.4 OpenPhone shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship with Customer or for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
  • 7.2.5 OpenPhone shall notify Customer if OpenPhone makes a determination that it can no longer meet its obligations under the CCPA.
  • 7.2.6 OpenPhone will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
  • 7.2.7 OpenPhone shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.
  • 7.2.8 If Customer determines that OpenPhone is Processing Personal Information in an unauthorized manner, Customer may, taking into account the nature of the OpenPhone’s Processing and the nature of the Personal Information Processed by OpenPhone on behalf of Customer, take commercially reasonable and appropriate steps to stop and remediate such unauthorized Processing.

8. Virginia-Specific Terms

  • 8.1 Additional Definitions
  • 8.1.1 For purposes of this Section 8, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the VCDPA.
  • 8.2 Obligations
  • 8.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the VCDPA.  
  • 8.2.2 Except with respect to OpenPhone Account Data and OpenPhone Usage Data (as defined in the Addendum), the parties acknowledge and agree OpenPhone is a Processor for the purposes of the VCDPA (to extent it applies).
  • 8.2.3 OpenPhone shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the VCDPA by: (i) in the event of a data breach, providing information sufficient to enable Customer to meet its obligations pursuant to Virginia’s breach notification laws (Va. Code § 18.2-186.6); and (ii) Providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.
  • 8.2.4 OpenPhone shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
  • 8.2.5 Upon OpenPhone’s written request, OpenPhone shall delete or return all Personal Data provided by Customer under the Agreement, unless retention of such Personal Data is required or authorized by law or the Addendum and/or Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, OpenPhone shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control.
  • 8.2.6 Upon Customer’s written request at reasonable intervals, OpenPhone shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate OpenPhone’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA and in conformance with Section 3 of this Addendum.

9. Colorado-Specific Terms

  • 9.1 Additional Definitions
  • 9.1.1 For purposes of this Section 9, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CPA.
  • 9.2 Obligations
  • 9.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CPA.  
  • 9.2.2 Except with respect to OpenPhone Account Data and OpenPhone Usage Data (as defined in the Addendum), the parties acknowledge and agree that OpenPhone is a Processor for the purposes of the CPA (to extent it applies).
  • 9.2.3 OpenPhone shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
  • 9.2.4 Upon Customer’s written request, OpenPhone shall delete or return all Personal Data provided by Customer.
  • 9.2.5 Upon Customer’s written request at reasonable intervals, OpenPhone shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate OpenPhone’s compliance with its obligations under the CPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CPA and in conformance with Section 3 of this Addendum.

10. Connecticut-Specific Terms

  • 10.1 Additional Definitions
  • 10.1.1 For purposes of this Section 10, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CTDPA.
  • 10.2 Obligations
  • 10.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CTDPA.
  • 10.2.2 Except with respect to OpenPhone Account Data and OpenPhone Usage Data (as defined in the Addendum), the parties acknowledge and agree that OpenPhone is a Processor for the purposes of the CTDPA (to extent it applies).
  • 10.2.3 OpenPhone shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
  • 10.2.4 Upon Customer’s written request, OpenPhone shall delete or return all Personal Data provided by Customer.
  • 10.2.5 Upon Customer’s written request at reasonable intervals, OpenPhone shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate OpenPhone’s compliance with its obligations under the CTDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CTDPA and in conformance with Section 3 of this Addendum.

11. Utah-Specific Terms

  • 11.1 Additional Definitions
  • 11.1.1 For purposes of this Section 11, the terms “Consumer,” “Controller,” “Personal data,” “Processing,” and “Processor” shall have the meanings set forth in the UCPA.
  • 11.2 Obligations
  • 11.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the UCPA.
  • 11.2.2 Except with respect to OpenPhone Account Data and OpenPhone Usage Data (as defined in the Addendum), the parties acknowledge and agree that OpenPhone is a Processor for the purposes of the UCPA (to extent it applies).
  • 11.2.3 OpenPhone shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.

Ready to improve your team's communication?

Join thousands of businesses already using OpenPhone to communicate better with their customers.

Try for freeTalk to Sales
Resources
arrow footer
CustomersDownloadsDemo
Partners
Popular
What’s newHelp centerTutorialsOnboardingWebinarsPort your number
Voicemail generator
New
Number generator
New
Product
arrow footer
Phone numbersTeamsCallingMessaging
OpenPhone API
Coming Soon
Contacts
Integrations
Popular
Call summaries & transcripts
New
Toll-free numbersVanity numbersVoIP features
Solutions
arrow footer
StartupsSmall businessesSalesRecruitingEducationReal estateSupport
Franchises
New
ServicesOperations
AboutPressCareersTerms of ServicePrivacy PolicyFair Use Policy
Podcast
New
Google VoiceRingCentralZoom PhoneVonageGrasshopperLine2DialpadSideline
From the blog
arrow footer
How to get a virtual phone numberHow to get a second phone numberThe best second phone number appsThe best Google Voice alternativesThe best small business phone systemsThe best text messaging services for businessThe best toll-free number service providersHow does Google Voice work?Check out all posts ->
Compare
Google VoiceRingCentralZoom PhoneVonageGrasshopperLine2DialpadSideline
From the blog
How to get a virtual phone numberHow to get a second phone numberHow to get a Canada phone numberThe best Google Voice alternativesHow to get 2 phone numbers on 1 phoneBest SMS messaging services for small businessesHow to share phone numbers wih your teamThe best toll-free number service providersHow to add a business line to your cell phoneCheck out all posts ->
Logo
AICPA SOC

OpenPhone was issued a successful SOC 2 report and is actively monitored by Vanta.

© 2024 OpenPhone Technologies, Inc. All rights reserved.