Data Terms

1.1 Equalize Digital as Processor.

In situations where Customer is a Controller of the Customer Personal Data, Equalize Digital will be deemed a Processor that is Processing Personal Data on behalf of Customer.

1.2 Equalize Digital as Subprocessor.

In situations where Customer is a Processor of the Customer Personal Data, Equalize Digital will be deemed a Subprocessor of the Customer Personal Data.

2.1 Processing Details.

This DPA applies to Customer Personal Data processed in connection with Equalize Digital’s opt-in Email Reports feature for Accessibility Checker. The Service collects Customer’s website accessibility statistics to generate and deliver periodic email reports to Customer and contacts specified by Customer. This feature facilitates the monitoring of accessibility trends specific to Customer’s website at no additional cost.

This DPA applies solely to Customer Personal Data processed in connection with that Email Reports feature. For Customers who have not opted in to that feature, Equalize Digital processes no Customer Personal Data under this DPA.

The Processing covered by this DPA has the following characteristics:

• Categories of Data Subjects: Customer’s employees, contractors, or other designated individuals authorized by Customer to receive Accessibility Reports.
• Categories of Personal Data: name and contact information such as email, phone number, or address.
• Special Category Data: no special category data under GDPR Article 9 is processed.
• Frequency of Transfer: continuous
• Nature and Purpose of Processing: Receiving data, including collection, access, retrieval, recording, and data entry; holding data, including storage, organization, and structuring; and using data, including analysis, consultation, testing, automated decision making, and profiling.
• Duration of Processing: Equalize Digital will process Customer Personal Data as long as required (i) to conduct the Processing activities instructed in Section 2.2(a)-(d) of this DPA, or (ii) by Applicable Laws.

Customer acknowledges that the Service is not intended for the Processing of sensitive personally identifiable information or Special Category Data. Customer warrants that it will configure Accessibility Checker to exclude any non-public or sensitive areas of its website from scans.

Customer further acknowledges that, although the Service provides high-level statistics and does not transmit detailed information regarding specific accessibility issues, underlying local scans may inadvertently capture personally identifiable information if that data is contained within code snippets or images flagged for accessibility errors. This risk is particularly relevant to websites with protected or non-public areas where sensitive information is displayed. Customers with highly sensitive websites should evaluate their content and exclude areas containing regulated or sensitive data from Accessibility Checker scans to ensure compliance with their own privacy obligations.

2.2 Processing Instructions.

Customer instructs Equalize Digital to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Equalize Digital about Processing Customer Personal Data under this DPA.

Equalize Digital will abide by these instructions unless prohibited from doing so by Applicable Laws. Equalize Digital will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.

2.3 Processing by Equalize Digital.

Equalize Digital will only Process Customer Personal Data in accordance with this DPA, including the processing details set out in Section 2.1. If Equalize Digital updates the Service to update existing or include new products, features, or functionality, Equalize Digital may change the Categories of Data Subjects, Categories of Personal Data, Special Category Data, Special Category Data Restrictions or Safeguards, Frequency of Transfer, Nature and Purpose of Processing, and Duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.

2.4 Customer Processing.

Where Customer is a Processor and Equalize Digital is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.

2.5 Consent to Processing.

Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Equalize Digital and the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.

2.6 Subprocessors.

(a) By opting into the Service, Customer provides general authorization for Equalize Digital to use the Approved Subprocessors listed in this DPA to Process Customer Personal Data as necessary to provide the Service. The current list of Approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks.

Equalize Digital may add or replace Subprocessors as needed to provide, maintain, or improve the Service. Equalize Digital will provide notice of any material addition or replacement of an Approved Subprocessor before the change takes effect, when commercially reasonable. If Customer reasonably objects to a new Subprocessor on data protection grounds, the parties will work in good faith and seek to resolve the concern. If the concern cannot be resolved, Customer may discontinue use of the affected portion of the Service.

The currently Approved Subprocessors are:

• WP Engine, located in the United States, for software license activation, license status checks through the Easy Digital Downloads WordPress Plugin API, and accepting and relaying data sent from Customer’s site for Accessibility Checker Email Reports to another processor.
• Postmark, located in the United States, for accepting and processing data received from WP Engine for the purpose of generating and sending Accessibility Checker Email Reports.

(b) When engaging a Subprocessor, Equalize Digital will use Subprocessors that make available written data processing terms, privacy terms, or similar policies designed to protect Customer Personal Data and restrict the Subprocessor’s Processing of Customer Personal Data to the Processing necessary to provide the applicable subcontracted services.

(c) If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA, as referred to in Article 28(3) of the GDPR, if applicable, are also imposed on the Subprocessor, and (ii) Equalize Digital’s agreement with the Subprocessor will incorporate these obligations, including details about how Equalize Digital and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. 

Equalize Digital will, upon reasonable request, make available information reasonably sufficient to describe its Subprocessors’ data protection obligations. Copies of Subprocessor agreements or applicable terms may be provided at Equalize Digital’s discretion, subject to redaction of confidential, security-sensitive, or commercially sensitive information.

(d) Equalize Digital remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. Equalize Digital will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between Equalize Digital and the Subprocessor.

3.1 Authorization.

Customer agrees that Equalize Digital may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Equalize Digital transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Equalize Digital will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.

3.2 Ex-EEA Transfers.

Customer and Equalize Digital agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to Equalize Digital outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Equalize Digital are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:

(a) Module Two (Controller to Processor) of the EEA SCCs apply when Customer is a Controller and Equalize Digital is Processing Customer Personal Data for Customer as a Processor.

(b) Module Three (Processor to Sub-Processor) of the EEA SCCs apply when Customer is a Processor and Equalize Digital is Processing Customer Personal Data on behalf of Customer as a Subprocessor.

(c) For each module, the following applies when applicable:

• i. the optional docking clause in Clause 7 does not apply
• ii. in Clause 9, Option 2, general written authorization, applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days
• iii. in Clause 11, the optional language does not apply
• iv. all square brackets in Clause 13 are removed
• v. in Clause 17, Option 1, the EEA SCCs will be governed by the laws of the Governing Member State for EEA Transfers
• vi. in Clause 18(b), disputes will be resolved in the courts of the Governing Member State for EEA Transfers
• vii. this DPA contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs

3.3 Ex-UK Transfers.

Customer and Equalize Digital agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to Equalize Digital outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Equalize Digital are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:

(a) Section 3.2 of this DPA contains the information required in Table 2 of the UK Addendum.

(b) Table 4 of the UK Addendum is modified as follows: neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent the ICO issues a revised approved addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.

(c) This DPA contains the information required by Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum.

3.4 Other International Transfers.

For Personal Data transfers where Swiss law, and not the law in any EEA member state or the United Kingdom, applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

4.1 Security Incident Response.

Upon becoming aware of any Security Incident, Equalize Digital will: 

(a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; 

(b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and 

(c) promptly take reasonable steps to contain and investigate the Security Incident. 

Equalize Digital’s notification of or response to a Security Incident, as required by this DPA, will not be construed as an acknowledgment by Equalize Digital of any fault or liability for the Security Incident.

5.1 Audit Rights.

To the extent required by Applicable Data Protection Laws or the EEA SCCs or UK Addendum, Equalize Digital will make available information reasonably necessary to demonstrate its compliance with this DPA. Customer may request this information in writing no more than once per year, unless Applicable Data Protection Laws require otherwise or Customer has a reasonable, documented basis to believe that Equalize Digital is not complying with this DPA.

Equalize Digital may satisfy an audit or information request by providing existing documentation, written responses, or other information reasonably available to Equalize Digital. Equalize Digital may decline or limit any request that is excessive, duplicative, unrelated to the Service, or that could compromise Equalize Digital’s security, confidentiality obligations, systems, intellectual property, or other customers.

Any custom audit, inspection, questionnaire, assessment, meeting, or documentation request that requires material time or effort from Equalize Digital may be provided at Customer’s sole expense, subject to the Minimum Request Charge.

5.2 Security Information.

Equalize Digital’s security practices for the Service are based on commercially reasonable internal processes. Upon Customer’s reasonable written request, Equalize Digital may provide information about its then-current security practices for the Service, subject to confidentiality obligations and reasonable limitations intended to protect Equalize Digital’s systems, security, confidential information, and other customers. Any custom security review, questionnaire, assessment, meeting, or documentation request that requires material time or effort from Equalize Digital may be provided at Customer’s sole expense, subject to the Minimum Request Charge.

5.3 Security Due Diligence.

Upon Customer’s reasonable written request, made no more than once per year, Equalize Digital may provide existing information reasonably available to demonstrate its compliance with this DPA. Any custom questionnaire, assessment, meeting, documentation request, or other due diligence support that requires material time or effort from Equalize Digital may be provided at Customer’s sole expense, subject to the Minimum Request Charge.

6.1 Response to Inquiries.

If Equalize Digital receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Equalize Digital will notify Customer about the request and Equalize Digital will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial, administrative, or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. 

If allowed by Applicable Law, Equalize Digital will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. 

If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to Equalize Digital, Equalize Digital will assist Customer in fulfilling the request according to the Applicable Data Protection Law. Equalize Digital will cooperate with and provide reasonable assistance to Customer, at Customer’s sole expense subject to the Minimum Request Charge, in any legal response or other procedural action taken by Customer in response to a third-party request about Equalize Digital’s Processing of Customer Personal Data under this DPA.

6.2 DPIAs and DTIAs.

If required by Applicable Data Protection Laws, Equalize Digital will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.

Any assistance provided by Equalize Digital for the completion of data protection impact assessments or data transfer impact assessments will be provided at Customer’s sole expense, subject to the Minimum Request Charge.

7.1 Deletion by Customer.

Equalize Digital will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. Equalize Digital will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.

7.2 Deletion at DPA Expiration.

(a) After the DPA expires, Equalize Digital will return or delete Customer Personal Data at Customer’s instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, Equalize Digital will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require Equalize Digital to continue hosting or Processing Customer Personal Data.

(b) If Customer and Equalize Digital have entered the EEA SCCs or the UK Addendum as part of this DPA, Equalize Digital will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.

8.1 Liability Limits.

To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement. Notwithstanding anything to the contrary, the parties agree that any and all liability arising out of or related to this DPA, including any Security Incident, is subject to the General Cap Amount and Damages Waiver established in the Software License Agreement. For the avoidance of doubt, the liability caps in the Agreement and this DPA are cumulative and not per incident.

8.2 Claim Limitation.

Any claims made against Equalize Digital or its Affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

8.3 Exceptions.

This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

9.1 Order of Precedence.

This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.

10.1 Term.

This DPA attaches to and supplements the Software License Agreement and will start when Equalize Digital and Customer enter into the Agreement or Customer opts in to the Service. This DPA will continue until the Agreement expires or is terminated. However, Equalize Digital and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Equalize Digital and Equalize Digital stops Processing Customer Personal Data.