Data Processing Addendum

Effective date: 1 August 2020

This RANDOM.ORG (‘RANDOM.ORG’) Data Processing Addendum forms part of, and is subject to the provisions of, the RANDOM.ORG Terms of Use and the Subscription Terms (the ‘Agreement’). Capitalized terms that are not defined in this Data Processing Addendum have the meanings set forth in the Terms of Use and the Subscription Terms.

1. Additional Definitions

The following definitions apply solely to this Data Processing Addendum:

1. The terms ‘controller’, ‘data subject’, ‘personal data’, ‘process,’ ‘processing’ and ‘processor’ have the meanings given to these terms in Data Protection Law.
2. ‘Breach’ means a breach of the Security Measures resulting in access to RANDOM.ORG equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by RANDOM.ORG on your behalf and instructions through the Services.
3. ‘Content’ means any content provided to us from your Users, or from you on behalf of your Users, including without limitation text, photos, images, audio, video, code, and any other materials.
4. ‘Data Protection Law’ means the General Data Protection Regulation (EU) 2016/679 (the "GDPR"), the Data Protection Acts 1988 to 2018 (and any legislation that updates, amends or replaces the Data Protection Acts 1988 to 2018), the ePrivacy Directive 2002/58/EC and all applicable laws and regulations relating to the processing of personal data, including, where applicable, the guidance and codes of practice issued by the Irish Data Protection Commission and the Article 29 Working Party.
5. ‘Security Measures’ means the technical and organizational security measures that RANDOM.ORG has in place from time to time.
6. ‘Sub-Processor’ means an entity engaged by RANDOM.ORG to process Your Controlled Data.
7. ‘User’ means a customer or user of your services, including Your Site.
8. ‘Verfication Data’ means the portion of Your Controlled Data and such other data as we may deem reasonably necessary to verify that the results of any draw performed as part of the Services are accurate and to ensure the integrity of the Services.
9. ‘Your Controlled Data’ means the personal data disclosed or supplied by you to RANDOM.ORG or otherwise acquired or generated by RANDOM.ORG on your behalf in relation to the provision of the Services, including the Content. Your Controlled Data does not include personal data controlled by us including data we collect (including IP address, device/browser details and visited pages) with respect to your Users’ interactions with our Site through their browser and technologies like cookies.
10. ‘Your Site’ means a website owned and controlled by you, as notified to us in writing.

2. Applicability

This Data Processing Addendum only applies to you if you or your Users are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that RANDOM.ORG is not responsible for personal data that you have elected to process outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.

3. Details of Data Processing

3.1 Subject Matter. The subject matter of the data processing under this Data Processing Addendum is Your Controlled Data.

3.2 Duration. This Data Processing Addendum shall continue in force until the termination of the Agreement.

3.3 Purpose. The purpose of the data processing under this Data Processing Addendum is the provision of the Services initiated by you from time to time.

3.4 Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.

3.5 Type of Personal Data. Your Controlled Data relating to you, your Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your account.

3.6 Categories of Data Subjects. You, your Users and any other individuals whose personal data is included in Content.

4. Processing Roles and Activities

4.1 RANDOM.ORG as Processor and You as Controller. You are the controller and RANDOM.ORG is the processor of Your Controlled Data.

4.2 RANDOM.ORG as Controller. RANDOM.ORG may also be an independent controller for some personal data relating to you or your Users. Please see the Agreement, our Privacy Notice and our Cookie Policy for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us.

4.3 Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your account (the ‘Purpose’).

4.4 Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. RANDOM.ORG will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.

5. Our Processing Responsibilities

5.1 How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your account. You agree that the Agreement and the instructions given through your account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Addendum require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.

5.2 Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under Data Protection Law. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information, such as for confidentiality. Our obligation to report or respond to a Breach under this section 5.2 is not and will not be construed as an acknowledgement by RANDOM.ORG of any fault or liability of RANDOM.ORG with respect to the Breach. Despite the foregoing, RANDOM.ORG’s obligations under this section do not apply to incidents that are caused by you, any activity on your account and/or third-party services.

5.3 Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from a User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.

5.4 Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.

5.5 Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.6 Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Addendum, to the extent applicable to the nature of the Services provided by such Sub-Processor. You may request a list of our current Sub-Processors (the ‘List’) by emailing privacy@random.org. We may remove, replace or appoint further Sub-Processors in our sole discretion and will update the List accordingly. At least ten (10) days prior to permitting any new Sub-Processor to access Your Controlled Data, we will endeavor to: (a) post any updates to the List and (b) provide you with notice of the addition to the List if you sign up to receive such notifications in the manner instructed in the List. Provided that your objection is reasonable and related to data protection concerns, you may object to any new Sub-Processor by sending an email to privacy@random.org. If you object to any new Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to new Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such new Sub-Processor, you may cancel or terminate your account or, if possible, the portions of the Services that involve use of such new Sub-Processor. Except as set forth in this Section 5.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.6. Except as set forth in this Section 5.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. RANDOM.ORG will remain responsible for its compliance with the obligations of this Data Processing Addendum and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause RANDOM.ORG to breach any of RANDOM.ORG’s obligations under this Data Processing Addendum, solely to the extent that RANDOM.ORG would be liable under the Agreement if the act or omission was RANDOM.ORG’s own.

5.7 RANDOM.ORG Audits. RANDOM.ORG may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.

5.8 Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing RANDOM.ORG to carry out the audit described in Section 5.7. You agree that you may be required to agree to a non-disclosure agreement with RANDOM.ORG before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If RANDOM.ORG does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with Data Protection Law by means other than reviewing any report from such an audit, you can request a change to this instruction regarding the audit in the following way:

1. First, you will submit a request for additional information in writing to RANDOM.ORG, specifying such details as may be needed to enable RANDOM.ORG to review this request effectively, including what information is being requested, in what form you need to obtain it and what is the underlying legal requirement for the request (the ‘Request’). You agree that the Request will be limited to matters regarding our Security Measures.
2. Within a reasonable time after we have received and reviewed the Request, the parties will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. The parties agree to use the least intrusive means for RANDOM.ORG to verify RANDOM.ORG’s compliance with the Security Measures in order to address the Request, taking into account the applicable legal requirements, information available to or that can be provided to you and the urgency of the matter as well as the need for RANDOM.ORG to maintain the security of its facilities, maintain uninterrupted business operation, protect itself and its customers from risk and to prevent disclosure of information that would jeopardize the confidentiality of RANDOM.ORG and its Users’ information.

You will pay our reasonable costs in considering and addressing any Request. Any information and documentation provided by RANDOM.ORG or its auditors pursuant to this Section 5.8 will be provided at your cost and will constitute RANDOM.ORG’s confidential information, which you may not disclose other than in accordance with the relevant provisions of our Subscription Terms. If we decline to follow any instruction requested by you regarding audits or inspections, you are entitled to terminate the Agreement.

5.9 Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Addendum, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one time per calendar year (unless it is necessary for you to do so to comply with Data Protection Law). The information to be made available by RANDOM.ORG under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to RANDOM.ORG, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with RANDOM.ORG before we share any such information with you.

5.10 Requests. You can delete or access a copy of some of Your Controlled Data through your account. For any of Your Controlled Data which may not be deleted or accessed through your account, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days of the deletion of your account; or (b) delete and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which is archived on back-up systems, which we shall securely isolate and protect from any further processing, except to the extent required by applicable law). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy. This Section 5.10 does not apply to personal data held by third parties (other than Sub-Processors) or to Verification Data.

6. Data Transfers

You authorize us to transfer Your Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer Your Controlled Data to countries within the EEA and the United States. We will transfer Your Controlled Data to outside the EEA using a lawful data transfer mechanism that is recognized under Data Protection Law as providing an adequate level of protection for such data transfers.

7. Liability

The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Subscription Terms. You agree that any regulatory penalties or claims by data subjects or others incurred by RANDOM.ORG in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or Data Protection Law shall reduce RANDOM.ORG’s maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.

8. Conflict

In the event of a conflict between this Data Processing Addendum and the Agreement, this Data Processing Addendum will control.

9. Miscellaneous

You are responsible for any costs and expenses arising from RANDOM.ORG’s compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by RANDOM.ORG to its users generally through the Services.