Data Processing Addendum and Agreement

Bronto Data Processing Addendum – Prior to April 16, 2018

If your Estimate/Order Form (“order”) with Oracle for the Bronto services was placed before April 16, 2018 and incorporates in the Bronto Data Processing Addendum and found on this webpage (below), then the version of the Data Processing Addendum found on this webpage applies to your orders unless it is otherwise specified in this Data Processing Addendum, the order or the Subscription Services Agreement that governs your order.

Note: the Bronto Data Processing addendum may only be used for the Bronto services.

Data Processing Agreement and Data Security Addendum – On or after April 16, 2018

If your Estimate/Order Form (“order”) with Oracle for the Bronto services was placed on or after April 16, 2018 and before September 12, 2018 and  incorporates in  or does not expressly exclude the Data Processing Agreement for Oracle Cloud Services (“Data Processing Agreement”) available at www.oracle.com/contracts, then the January 12, 2018 version of the Data Processing Agreement automatically applies to your order.

If your Estimate/Order Form (“order”) with Oracle for the NetSuite service is  placed after September 12, 2018 and  incorporates in  or does not expressly exclude the Data Processing Agreement for Oracle Cloud Services (“Data Processing Agreement”) available at www.oracle.com/contracts, then the July 27, 2018 version of the Data Processing Agreement automatically applies to your order.



Link to the Data Processing Agreement

You can also access the July 27, 2018 version of the Data Processing agreement by going to www.oracle.com/contracts.

In addition, the Data Security Addendum located at the link below also automatically applies to your order.

Bronto Data Security Addendum Download (Updated April 2017)


Oracle America, Inc., having offices at 500 Oracle Parkway, Redwood Shores, CA, 94403 (“Oracle”) and the entity signing this Bronto Data Processing Addendum which is also currently a party to the Oracle Subscription Services/License Agreement with Oracle(such agreement, the “Commercial Agreement”) and such entity’s Affiliates whose right to use the Applicable Services (as defined below) is granted by and is subject to the Commercial Agreement (collectively, “Customer”) hereby agree to this Bronto Data Processing Addendum as of the date the fully-signed version is received by Oracle by email at privacyaddendum@netsuite.com (the “Effective Date”), in reliance on the facts and agreed terms in Sections A through M below. If Customer is not a party to or otherwise currently governed by the Commercial Agreement, then this Bronto Data Processing Addendum and all attachments are not valid and are not legally binding. Unless specifically defined herein, any capitalized terms used in this Bronto Data Processing Addendum shall have the meaning defined in the Commercial Agreement.

  1. Oracle and Customer have entered into the Commercial Agreement, under which Oracle provides access to the Bronto commerce marketing automation service and/or such other services and ancillary services (i.e. technical support and consulting) (collectively “Applicable Services”) as set forth in the Commercial Agreements. For clarification, Applicable Services do not include third party products and services that may interoperate with the Applicable Services (“Third Party Products”). If Customer installs or enables a Third Party Product for use with the Applicable Services, Customer grants Bronto permission to allow the applicable third party provider to access the electronic data or information Customer submitted to and stored in the Applicable Services (“Customer Data”) as reasonably required for the interoperation of that Third Party Product with the Applicable Services. Bronto is not responsible for any disclosure, modification, or deletion of Customer Data resulting from access by a Third Party Product or third party provider. Oracle may be providing Applicable Services to Customer, and Customer Affiliate(s), depending on the terms of the Commercial Agreement. To the extent Oracle provides Applicable Services pursuant to an agreement in addition to the Commercial Agreement, the term Commercial Agreement as used herein shall be deemed to refer to such other agreement for such Applicable Services only.
  2. This Bronto Data Processing Addendum defines the parties' obligations with respect to the processing of European Economic Area and Switzerland personal data relating to data subjects in such jurisdictions which Customer inputs into the Applicable Services. As used herein, the terms “personal data”, “processing”, “processor”, “subprocessor”, “controller” and “data subject” shall have the meanings given to them in Directive 95/46/EC of 24 October 1995. This Bronto Data Processing Addendum hereby supplements the Commercial Agreement to add this Bronto Data Processing Addendum as the “Data Processing Addendum Exhibit”, the combination of which is intended to be the final and entire expression of the parties’ agreement on the subject matter hereof. The Customer decides what data to upload and process, or to allow its users/customers to upload and process, on the Applicable Services. The data subjects may include consumers and Customer’s representatives and end users, such as employees, contractors, collaborators, partners, and customers of the Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Applicable Services. Personal Data may include, among other information, contact information (such as name, email, and telephone numbers), personal or other demographic and statistical data related to each data subject, and invoicing data regarding the Customer and/or its users and customers.
  3. Oracle will process the personal data to provide the Applicable Services, and to otherwise carry out the Customer’s instructions as set forth in the Commercial Agreement. Such instructions may include actions by users in their use of the Applicable Services. Customer acknowledges and agrees that Customer is the controller of such personal data and Customer remains responsible for the obligations of a controller, including but not limited to, the responsibility for complying with any laws and regulations providing for notice, choice, and/or consent prior to transferring the personal data to Oracle for processing. Customer shall disclose personal data to Oracle only as necessary for Oracle to provide the Applicable Services in accordance with the Commercial Agreement.
  4. Oracle shall maintain appropriate administrative, physical and technical safeguards designed to protect personal data provided through the Applicable Services as described in Exhibit A to this Bronto Data Processing Addendum, to the extent applicable to Oracle’s processing of personal data.
  5. Customer hereby instructs and authorizes the use of subprocessors, including Affiliates of Oracle, to assist Oracle with respect to the performance of Oracle's obligations in connection with the Commercial Agreement. Oracle requires such subprocessors undertake obligations of a subprocessor as required by this Bronto Data Processing Addendum. Oracle, its Affiliates and subprocessors provide the Applicable Services globally, but any processing of personal data shall only take place in facilities in jurisdictions in which Oracle, its Affiliates or its subprocessors support the provision of the Applicable Services.
  6. For any audits or certifications, except where applicable law requires otherwise, the parties agree they will utilize the most recent audits/certifications as set forth in the Commercial Agreement to satisfy such requirements. If such audits/certifications do not satisfy the requirement, or if Customer makes some other request or instruction of Oracle, Oracle shall respond in good faith and provide Customer with commercially reasonable information on Oracle's standard processes and an estimate of additional fees and costs that Customer would have to pay before Oracle has to grant any requests or instructions that Oracle does not offer as part of its standard services. Customer shall not be obligated to pay such additional fees or costs, unless and until Customer, at its sole discretion, agrees to such payment obligations in writing. Oracle shall not be obligated to meet Customer’s requests or instructions until agreement on additional payments, if any, is reached, and Oracle has received such payments, if any. If the parties, acting reasonably and in good faith, cannot come to an agreement on such payments, requests or instructions, Customer may terminate the Commercial Agreement, subject to Customer’s payment of all fees for the then-current term, as such term had originally been agreed by the parties.
  7. For the Term of the Commercial Agreement, Oracle shall provide Customer access to the personal data so that Customer may correct, delete, or block such personal data. If Customer is unable to correct, delete, or block such personal data, then to the extent permitted by law and pursuant to Customer’s detailed written instructions, Oracle will make such corrections, amendments, or deletions on Customer’s behalf pursuant to a mutually agreeable statement of work in which Customer agrees to pay Oracle’s reasonable fees associated with the performance of any such correction, deletion or blocking of personal data.
  8. In the event of a Security Incident, Oracle will notify Customer in accordance with Oracle’s obligations under the applicable law or regulatory requirement that applies to the Security Incident. “Security Incident” shall mean the misappropriation of personal data located on Oracle systems or processed by providing the Applicable Services that compromises the security, confidentiality, or integrity of such personal data.
  9. Upon any termination or expiration of the Commercial Agreement, Oracle will comply with its obligations in the Commercial Agreement related to confidentiality and the deletion and/or return of such data.
  10. In order to enable Customer to meet requirements under applicable data protection laws pursuant to Articles 25(1) and 26(1) of Directive 95/46/EC of 24 October 1995 (the “Directive”), the parties hereby agree that transfers from Customer to Oracle or Oracle Affiliates are made subject to the terms of this Bronto Data Processing Addendum and (i) the Standard Contractual Clauses (Processors) (“SCC 2010”), with Customer acting as the “data exporter” and Oracle and/or the Oracle Affiliate(s) acting as the “data importer(s)” (as those terms are defined in the SCC 2010); or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the applicable requirements of Articles 25 and 26 of the Directive. The terms of this Bronto Data Processing Addendum shall be read in conjunction with the SCC 2010 or other appropriate transfer mechanism referred to in the prior sentence. For transfers from Oracle to Oracle Affiliates, Oracle shall ensure that such transfers are subject to (i) the terms of the Oracle intra-company agreement entered into between Oracle Corporation and the Oracle Affiliates, which requires all transfers of personal data to be made in compliance with the SCC 2010 and with all applicable Oracle security and data privacy policies and standards; or (ii) other appropriate transfer mechanisms that provide an adequate level of protection in compliance with the applicable requirements of Articles 25 and 26 of the Directive. For transfers from Oracle or Oracle Affiliates to Subprocessors, Oracle requires the Subprocessor to execute SCC 2010 incorporating security and other data privacy requirements consistent with those of this Bronto Data Processing Addendum. Customer may terminate the SCC 2010 at its discretion by written notice to Oracle. The SCC 2010 shall apply only to the transfer of personal data to any country not recognized by the European Commission as providing adequate protection of personal data or any recipient not covered by a legal framework deemed by the European Commission as providing an adequate level of protection for personal data. The SCC 2010 are effective as of the Effective Date and will not apply retroactively. The SCC 2010 will automatically terminate upon (i) the end of the Term of the Commercial Agreement or otherwise upon conclusion of Oracle’s provision of the Applicable Services or (ii) Oracle having implemented alternative adequate safeguards in compliance with the applicable requirements of Articles 25 and 26 of the Directive or, as applicable, Article 6 of the Swiss Federal Act of 19 June 1992 on Data Protection, as amended, including the Ordinance to the FADP, and any applicable law or regulation that will amend or replace it, and other applicable local laws and regulations concerning international and onward data transfers (e.g. Binding Corporate Rules for Processors).
  11. If Oracle receives a request from a data subject in connection with the processing of such person’s personal data on Customer’s behalf, then Oracle shall notify Customer, to the extent legally permitted; provided, however, that Customer shall have the sole obligation of responding directly to such data subject. Oracle shall reasonably cooperate with Customer in the event of an investigation by a data protection regulator or similar authority, if and to the extent that such investigation relates to Oracle’s processing of personal data under the SCC 2010.
  12. Oracle shall keep a list of subprocessors and make it available for Customer’s review upon request on an annual basis or in the event that a new subprocessor is added, to the extent applicable to the SCC 2010. Additionally, Oracle shall make the portions of its subprocessor agreements applicable to the SCC 2010 available to Customer if so requested.  Customer consents to Oracle’s use of subprocessors in performance of the Applicable Services.
  13. Oracle may (i) compile statistical and other information related to the performance, operation and use of the Applicable Services, and (ii) use data from the Applicable Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes (clauses (i) and (ii) are collectively referred to as “Service Analyses”). Oracle may make Service Analyses publicly available; however, Service Analyses will not incorporate Customer’s Confidential Information (as defined in the Commercial Agreement) in a form that could identify or serve to identify Customer or any data subject, and Service Analyses do not constitute personal data. Oracle retains all intellectual property rights in Service Analyses.
  14. This Bronto Data Processing Addendum shall apply only between the parties and shall not confer any rights to any other person or entity, except solely to the extent the SCC 2010 confers rights on data subjects. Customer agrees that it has received, read and understood the Applicable Services List prior to signing this Bronto Data Processing Addendum. Neither this Bronto Data Processing Addendum nor the SCC 2010 will modify the allocation of commercial risks agreed upon by the parties in the Commercial Agreement, including, but not limited to, any limitations or exclusions of liability.

Exhibit A to the Bronto Data Processing Addendum

Access Control to Processing Areas (Physical Controls)

Data importer implements the following measures to prevent unauthorized persons from gaining access to the data processing equipment where the personal data is processed or used:

  • establishing security areas;
  • procuring 24-hour security service at data centres;
  • requiring all doors to be locked before and after entry;
  • restricting and protecting access paths;
  • securing the data processing equipment;
  • establishing access authorizations for staff and third parties, including the respective documentation;
  • restricting issuance of card-keys;
  • regulating card-keys once issued;
  • logging, monitoring and tracking all access to the data centre; and
  • securing the data centre with a security alarm system, and other appropriate security measures.

Access and Input Control of Data Processing Systems, Including Specific Areas of the Data Processing Systems (Technological Controls)

Data importer implements the following measures to prevent unauthorized persons from gaining access to the data processing systems, including specific areas of the data processing systems. Input and removal of personal data is also controlled by:

  • issuing and securing staff identification codes;
  • authenticating authorized personnel use at the individual level requiring authentication credentials such as user IDs that cannot be re-assigned to another person;
  • assigning individual terminals and/or terminal users and host identification characteristics exclusive to specific functions;
  • limiting staff access to only that personal data relevant to the scope of each individual’s role or responsibility. Personal data cannot be read, copied or modified or removed without authorization;
  • electronic recording of input entries.
  • identifying and tracking terminal use at the user level;
  • regularly re-using and destroying tape back-up copies in a manner that renders the personal data un-readable; and
  • using industry standard encryption technologies. Please note: data at rest will not be encrypted.
Segregation of Personal Data (Technological Controls)

Data importer implements the following measures to process personal data gathered for unrelated purposes separately:

  • segregating personal data through the use of application security measures and then assigning access to the appropriate users;
  • separating personal data into modules within the data processing system. Each module is created for the specific purpose for which the personal data was gathered, i.e. by functionality and function; and
  • storing personal data in different areas at the database level on a per module or function basis.

Transmission Control (Technological Controls)

Data importer implements the following measures to prevent unauthorized persons from reading, copying, altering or deleting personal data during personal data transmission:

  • using firewall and encryption technologies to protect the gateways and pipelines through which personal data travels; and
  • logging, monitoring and tracking transmissions in a manner that is commercially reasonable.
Availability Control (Process Controls)

Data importer implements the following measures to ensure that personal data is protected from accidental destruction or loss:

  • implementing infrastructure redundancies to ensure data access is restored within seven days and backup performed at least weekly;
  • storing back-ups off-site and ensuring they are readily available for restoration in case of failure of storage infrastructure for relational database server; and
  • recording any detected security incident and deploying data recovery procedures as needed, including, if possible, identification of the person who carried them out.

Roles, Responsibilities and Policy Controls

Data importer implements the following measures to ensure personal data is processed only in accordance with instructions provided by data exporter:

  • binding policies and procedures for data importer's employees and sub-processors. Policies will clearly inform staff of their obligations (including confidentiality and associated statutory obligations) and the associated consequences of any violation;
  • individual appointment of system administrators;
  • maintaining a current list with system administrators' identification details (e.g. name, surname, function or organizational area);
  • correcting any inaccuracies, and deleting personal data as instructed;
  • implementing compliance audits;
  • maintaining applicable third-party certifications that include audit reporting that can be produced upon request of data exporter; and
  • establishing processes for the destruction or return of personal data to data exporter at the expiration or termination Customer’s services agreement.