A Data Processing Addendum (DPA) is a legally binding agreement that establishes terms governing the processing and any cross-border transfers of a data controller’s personal data by a data processor. For Gem, DPAs are a compliance mechanism that we sign if requested by a customer. DPAs are typically required by EU-based customers, and increasingly by customers in the US and other countries.
Gem’s DPA should always be positioned as non-negotiable, and sales should be clear with our prospects that Gem cannot agree to use a Customer DPA.
Please send the prospect or customer Gem’s current template DPA (available here). Please share in .pdf vs Word format and communicate that the DPA is non-negotiable.
The #sales-success-legal channel is dedicated to legal support requests and questions from the sales, success and other GTM teams. Legal built a dedicated workflow in this channel that AEs can use to submit customer redlines for legal review. If a customer redlines the DPA, to request legal review please launch this workflow within the channel by clicking on the Workflows drop down at the top left of the screen. The workflow asks for certain basic information about the deal (customer, close date, deal size) and has a field for sales to share links(s) to the redlines to be reviewed.
What if your customer asks to use their DPA?
Gem’s DPA is specifically tailored to our product/services in line with GDPR requirements and it is very important that we ask all customers who require a DPA to use our form DPA. Please push as hard as possible on 1) having the Customer use our DPA and 2) preventing the Customer from editing our DPA.
General Response:
The details of Gem’s data processing activities are set forth in our privacy policy, available at https://www.gem.com/compliance/privacy, and in our Data Processing Addendum (“DPA”), attached here.
We’ve dedicated significant cross-functional resources to customizing Gem’s DPA in order to reflect the nature of our shared services that are uniformly delivered across Gem’s customer base, while also supporting our customers’/controllers’ compliance and data security requirements in a customer-friendly manner. Because of our shared service infrastructure, we are unable to tailor our service or associated commitments we make about our service to any specific customer’s bespoke data privacy requirements. We must ensure that we are able to properly flow down our obligations to our sub-processors, and so compliance must be a tightly managed routine. So while we can understand a customer’s desire to work off of requirements with which it is familiar and has internally vetted, we ask that our customers who would like to enter into a data processing agreement with us sign our DPA. If you need further information, we are happy to answer any remaining questions you may have regarding Gem’s DPA terms.
Response if Customer asks Gem to sign its custom security exhibit:
We are happy to assist you through your due diligence process to assess whether Gem is a suitable service that meets your standards of security and compliance. We understand there may be concerns around working off a vendor’s commercial agreements and can certainly sympathize with your desire to work from requirements with which you are familiar and have internally vetted. However, those requirements were not drafted to reflect the way Gem operates, and our documentation has been tightly customized for our services. Because of our shared service infrastructure, we unfortunately aren’t able to tailor our service or associated commitments to any individual customer’s bespoke security requirements. That said, we would be happy to answer any questions or provide any additional information that may be helpful to you in your evaluation of Gem.
Response if Customer asks Gem to revise its DPA:
We appreciate the time taken to review our Data Processing Addendum (DPA). However, we are generally unable to accommodate significant changes to our DPA, as we must discharge our obligations under GDPR at scale as a multi-tenant service provider while assisting our customers in doing the same. We must ensure that we are properly flowing down our obligations to our subprocessors and so compliance must be a tightly managed routine, which we are unable to deviate from. We believe our DPA terms reflect our requirements as a processor under GDPR. If you need further information, we are happy to answer any remaining questions you may have regarding Gem’s DPA terms.
Note to Send when attaching pdf version of Gem’s DPA:
We appreciate your time reviewing Gem’s Data Processing Addendum (DPA) and have attached a pdf version here for your review and counter-signature. Please note that we are unable to accommodate changes to Company’s DPA, as we must discharge our obligations under GDPR at scale as a multi-tenant service provider while assisting our customers in doing the same. We must ensure that we are properly flowing down our obligations to our subprocessors and so compliance must be a tightly managed routine, which we are unable to deviate from. We believe our DPA terms reflect our requirements as a processor under GDPR. If you need further information, we are happy to answer any remaining questions you may have regarding Gem’s DPA terms.
Response if customer sends their DPA:
Thank you for sharing your form DPA. We understand there may be concerns around working off a vendor’s privacy documentation and can certainly sympathize with your desire to work from requirements with which you are familiar and have internally vetted. However, those requirements were not drafted to reflect the way Gem operates, and our DPA has been tightly customized for our services. We’ve dedicated significant cross-functional resources to customizing Gem’s DPA in order to reflect the nature of our shared services that are uniformly delivered across Gem’s customer base, while also supporting our customers’/controllers’ compliance and data security requirements in a customer-friendly manner.
Because of our shared service infrastructure, we are unfortunately unable to tailor our service or associated commitments we make about our service to any specific customer’s bespoke data privacy requirements. We must ensure that we are able to properly flow down our obligations to our sub-processors, and so compliance must be a tightly managed routine. So while we can understand a customer’s desire to work off of their paper, we ask that our customers who would like to enter into a data processing agreement with us sign our DPA. We’ve attached a copy of Gem’s DPA here for your review. If there are any questions about Gem’s DPA or we can provide any additional information to facilitate your team’s review, please let us know and we are happy to help.
Responses for Requested DPA Updates to address the new SCCs / CPRA:
Context. EU law and California law were updated and require new documentation to be in place for compliance purposes, which means that customers with DPAs that address GDPR and/or CCPA in place need to update their existing DPAs. As a result, we are receiving customer requests to sign DPA amendments that are not tied to revenue opportunities for Gem. We do not have internal resources to be able to negotiate customer paper amendments or new DPAs. Because these requests are not tied to current revenue opps, it also isn’t feasible for Gem to incur hard costs required to engage outside counsel in order to review bespoke customer documentation. So we are relying on the sales team to persuade the customer to work from Gem’s current DPA and avoid these costs to Gem.
(1) Preferred First Response - ask the customer to replace legacy DPA with Gem’s current DPA:
First Variation - where legacy DPA is on Customer Paper.
[Instructions: Send the following note, along with a pdf copy of Gem’s current DPA.]
We reviewed the documentation in place between our companies and it appears that a non-Gem DPA was previously signed by the parties. Gem has updated our standard customer DPA since we entered into a DPA with your company, including in order to account for the new SCCs, the CPRA and recent updates in UK law. We have also updated our process so that all Gem customers can benefit from an automated subprocessor update process, which is outlined in Gem’s current DPA. To address your request, we’d be happy to replace your existing DPA with Gem’s current DPA (attached here).
We can certainly understand your desire to work off of your paper, and we appreciate you sharing your form DPA. But individual customer DPAs were not drafted to reflect the way Gem operates, and due to our multi-tenancy we require uniformity across our customer commitments in order to properly discharge our obligations under applicable privacy laws at scale. So we ask that all Gem customers wishing to update a legacy DPA sign Gem’s updated DPA (vs working from any individual customer’s bespoke template).
We can certainly understand your desire to work off of your paper, and we appreciate you sharing your form DPA. But individual customer DPAs were not drafted to reflect the way Gem operates, and our DPA has been tightly customized for our services. So we ask that all Gem customers wishing to replace a legacy DPA sign Gem’s updated DPA (vs working from any individual customer’s bespoke template).
Please let us know if you’d like us to route the attached DPA for signatures once you’ve had a chance to review. We’re happy to answer any questions you may have or provide any additional information that would facilitate your review.
Second Variation - where legacy DPA is on Gem Paper.
[Instructions: Send the following note, along with a pdf copy of Gem’s current DPA.]
Thank you for your note. Gem has updated our standard customer DPA since we entered into a DPA with your company, including in order to account for the new SCCs, the CPRA and recent updates in UK law. We have also updated our process so that all Gem customers can benefit from an automated subprocessor update process, which is outlined in Gem’s current DPA. To address your request, we’d be happy to replace your existing DPA with Gem’s current DPA (attached here).
We can certainly understand your desire to work off of your paper, and we appreciate you sharing your form DPA. But individual customer DPAs were not drafted to reflect the way Gem operates, and our DPA has been tightly customized for our services. So we ask that all Gem customers wishing to replace a legacy DPA sign Gem’s updated DPA (vs working from any individual customer’s bespoke template).
Please let us know if you’d like us to route the attached DPA for signatures once you’ve had a chance to review. We’re happy to answer any questions you may have or provide any additional information that would facilitate your review.
Third Variation - where customer does not have a DPA in place with Gem.
Thank you for your note. We would be happy to enter into a DPA with your company, however we require that all Gem customers sign Gem’s DPA (vs working from any individual customer’s bespoke template). We’ve attached Gem’s DPA here for you.
We’ve dedicated significant cross-functional resources to customizing Gem’s DPA in order to reflect the nature of our shared services that are uniformly delivered across Gem’s customer base, while also supporting our customers’/controllers’ compliance and data security requirements in a customer-friendly manner. Because of our shared service infrastructure, we require uniformity across our customer commitments and are unable to tailor our practices to any individual customer’s bespoke data privacy requirements. We must ensure that we are able to properly flow down our obligations to our sub-processors, and so compliance must be a tightly managed routine. So while we can understand a customer’s desire to work off of requirements with which it is familiar and has internally vetted, we ask that our customers who would like to enter into a data processing agreement with us sign our DPA.
Please let us know if you’d like us to route the attached DPA for signatures once you’ve had a chance to review. If you need further information, we are happy to answer any remaining questions you may have regarding Gem’s DPA terms.
- What if your customer asks to use their DPA?