Collection of your Personal Information
In order to better provide you with products and services offered on our Site, Vertex may collect personally identifiable information, such as your:
- First and Last Name
- Mailing Address
- E-mail Address
- Phone Number
If you purchase Vertex’s products and services, we collect billing and credit card information. This information is used to complete the purchase transaction.
We do not collect any personal information about you unless you voluntarily provide it to us. However, you may be required to provide certain personal information to us when you elect to use certain products or services available on the Site. These may include: (a) registering for an account on our Site; (b) entering a sweepstakes or contest sponsored by us or one of our partners; (c) signing up for special offers from selected third parties; (d) sending us an email message; (e) submitting your credit card or other payment information when ordering and purchasing products and services on our Site. To wit, we will use your information for, but not limited to, communicating with you in relation to services and/or products you have requested from us. We also may gather additional personal or non-personal information in the future.
Use of your Personal Information
Vertex collects and uses your personal information to operate its website(s) and deliver the services you have requested.
Vertex may also use your personally identifiable information to inform you of other products or services available from Vertex and its affiliates.
Sharing Information with Third Parties
Vertex does not sell, rent or lease its customer lists to third parties.
Vertex may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to Vertex, and
they are required to maintain the confidentiality of your information.
Vertex may disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Vertex or the site; (b) protect and defend the rights or property of Vertex; and/or (c) act under exigent circumstances to protect the personal safety of users of Vertex, or the public.
Tracking User Behavior
Vertex may keep track of the websites and pages our users visit within Vertex, in order to determine what Vertex services are the most popular. This data is used to deliver customized content and advertising within Vertex to customers whose behavior indicates that they are interested in a particular subject area.
Automatically Collected Information
Information about your computer hardware and software may be automatically collected by Vertex. This information can include: your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the Vertex website.
The Vertex website may use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you.
One of the primary purposes of cookies is to provide a convenience feature to save you time. The purpose of a cookie is to tell the Web server that you have returned to a specific page. For example, if you personalize Vertex pages, or register with Vertex site or services, a cookie helps Vertex to recall your specific information on subsequent visits. This simplifies the process of recording your personal information, such as billing addresses, shipping addresses, and so on. When you return to the same Vertex website, the information you previously provided can be retrieved, so you can easily use the Vertex features that you customized.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Vertex services or websites you visit.
This website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable Information.
Security of your Personal Information
Vertex secures your personal information from unauthorized access, use, or disclosure. Vertex uses the following methods for this purpose:
- SSL Protocol
When personal information (such as a credit card number) is transmitted to other websites, it is protected through the use of encryption, such as the Secure Sockets Layer (SSL) protocol.
We strive to take appropriate security measures to protect against unauthorized access to or alteration of your personal information. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, you acknowledge that: (a) there are security and privacy limitations inherent to the Internet which are beyond our control; and (b) security, integrity, and privacy of any and all information and data exchanged between you and us through this Site cannot be guaranteed.
Children Under Thirteen
Vertex collects personally identifiable information from children under the age of thirteen. Vertex collects this information for the following reason(s): ensuring participants of our kids programs are placed in the correct program for their age bracket.
If you are under the age of thirteen, you must ask your parent or guardian for permission to use this website. If you are a parent and you have questions regarding our data collection practices, please contact us using the information provided at the end of this statement of Privacy.
From time to time, Vertex may contact you via email for the purpose of providing announcements, promotional offers, alerts, confirmations, surveys, and/or other general communication.
If you would like to stop receiving marketing or promotional communications via email from Vertex, you may opt out of such communications by clicking on the UNSUBSCRIBE button.
External Data Storage Sites
We may store your data on servers provided by third party hosting vendors with whom we have contracted.
Changes to this Statement
Vertex welcomes your questions or comments regarding this Statement of Privacy. If you believe that Vertex has not adhered to this statement, please contact Vertex at:
Vertex Climbing Center 3358A Coffey Lane Santa Rosa, California 95403
Email Address: firstname.lastname@example.org
Telephone number: (707) 573-1608
Effective as of July 30, 2019
RGP DEVELOPMENT LLC
DATA PROCESSING ADDENDUM
This Data Processing Addendum (this “DPA“) is made as of the last date set forth on the signature page hereto (the “Effective Date”) by and between RGP Development LLC, a limited liability company organized and existing under the laws of the State of Oregon, U.S.A. (“Rock Gym Pro“), and the entity or person set forth on the signature page hereto (“Customer“), pursuant to the Agreement (as defined below). This DPA has been pre-signed on behalf of Rock Gym Pro. This DPA will be void ab initio, with no force or effect, if the entity or person signing this DPA is not a party to an effective Agreement (as defined below) directly with Rock Gym Pro. Rock Gym Pro and Customer are sometimes referred to herein individually as a “party” or together as the “parties“.
This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data is processed by Rock Gym Pro under the Agreement.
- For the purposes of this DPA, the following terms shall have their respective meanings set forth below and other capitalized terms used but not defined in this DPA have the same meanings as set forth in the Agreement:
- “Agreement” means the Terms of Service and Paid Plan Agreement, as applicable, between the parties, in each case providing for the provision by Rock Gym Pro to Customer of the services described therein.
- “EEA” means the European Economic Area (including the United Kingdom).
- “EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”), including any applicable national implementations of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) (as amended, replaced or superseded).
- “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- “Processor” means an entity which processes Personal Data on behalf of the Controller.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield self-certification program operated by the U.S. Department of Commerce.
- “Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded or replaced).
- “Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- “Sensitive Data” means (a) social security number, passport number, driver’s license number, or similar identifier (or any portion thereof), (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; (f) date of birth; (g) criminal history; (h) mother’s maiden name; and (i) any other information that falls within the definition of “special categories of data” under EU Data Protection Legislation or any other applicable law relating to privacy and data protection.
- Relationship with Agreement
- Except as amended by this DPA, the Agreement will remain in full force and effect.
- If there is a conflict between the Agreement and this DPA, the terms of this DPA will controll.
- Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
- Applicability of this DPA
- Part A (being Sections 4 to 6 as well as Annexes A and B of this DPA), shall apply to the processing of Personal Data under the Agreement from the Effective Date above.
- Part B (being Sections 7 to 11) shall apply to the processing of Personal Data by Rock Gym Pro falling within the scope of the GDPR from and including 25 May 2018.
- With respect to the processing of Personal Data falling within the scope of Part B:
- the terms of Part B shall apply in addition to, and not in substitution of, the terms in Part A; and
- to the extent there is any conflict between the provisions in Part A and Part B, the provisions in Part B shall take priority from and including 25 May 2018.
- Notwithstanding anything in this DPA, Rock Gym Pro will have the right to collect, extract, compile, synthesize and analyze aggregated, non-personally identifiable data or information (data or information that does not identify Customer or any other entity or natural person as the source thereof) resulting from Customer’s use or operation of the Services (“Service Data”) including how its end users or their customers use Rock Gym Pro. To the extent any Service Data is collected or generated by Rock Gym Pro, such data will be solely owned by Rock Gym Pro and may be used by Rock Gym Pro for any lawful business purpose without a duty of accounting to Customer or its recipients. For the avoidance of doubt, this DPA will not apply to Service Data.
Part A: General data protection obligations
- Roles and responsibilities
- Parties’ Roles. Customer, as Controller, appoints Rock Gym Pro as a Processor to process the Personal Data described in Annex A on Customer’s behalf.
- Purpose Limitation. Rock Gym Pro shall process the Personal Data for the purposes described in Annex A and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA sets out Customer’s complete instructions to Rock Gym Pro in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
- Prohibited Data. Customer will not provide (or cause to be provided) any Sensitive Data to Rock Gym Pro for processing under the Agreement, and Rock Gym Pro will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
- Description of Processing. A description of the nature and purposes of the processing, the types of Personal Data, categories of data subjects, and the duration of the processing are set out further in Annex A.
- Compliance. Customer shall be responsible for ensuring that:
- it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation, in its use of the Services and its own processing of Personal Data (except as otherwise required by applicable law); and
- it has, and will continue to have, the right to transfer, or provide accessto, the Personal Data to Rock Gym Pro for processing in accordance with the terms of the Agreement and this DPA.
- Security. Rock Gym Pro shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
- Security Exhibit. The technical and organizational security measures which Rock Gym Pro shall have in place under the Agreement are set out at Annex B to this DPA.
- International transfers
- International Transfers. To the extent that Rock Gym Pro processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection (within the meaning of EU Data Protection Legislation) by virtue of Rock Gym Pro’s self-certification to the Privacy Shield. Rock Gym Pro shall agree to apply the Privacy Shield Principles when processing (or causing to be processed) any EEA or Swiss Personal Data under this Agreement.
- Privacy Shield Notifications. Rock Gym Pro agrees to notify Customer without undue delay if its self- certification to the Privacy Shield is withdrawn, terminated, revoked, or otherwise invalidated. In such a case, the parties shall cooperate in good faith to put in place such alternative data export mechanisms as are required under EU Data Protection Legislation to ensure an adequate level of protection for the Personal Data.
Part B: GDPR Obligations from 25 May 2018
- Additional security
- Confidentiality of processing. Rock Gym Pro shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
- Security Incidents. Upon becoming aware of a Security Incident, Rock Gym Pro shall notify Customer without undue delay and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation. Rock Gym Pro shall take appropriate and commercially reasonable steps to mitigate the effects of such a Security Incident on the Personal Data under this Agreement.
- Sub-processors. Customer agrees that Rock Gym Pro may engage Rock Gym Pro affiliates and third party sub-processors (collectively, “Sub-processors“) to process the Personal Data on Rock Gym Pro’s behalf. The Sub-processors currently engaged by Rock Gym Pro and authorized by Customer are available at https://www.rockgympro.com/sub-processors/.
- Objection to Sub-processors. Customer may object in writing to the appointment of an additional Sub-processor. In the event that Customer objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, Rock Gym Pro will, at its sole discretion, either not appoint Sub-processor, or permit Customer to suspend or terminate the affected Rock Gym Pro service in accordance with the termination provisions of the Agreement.
- Sub-processor obligations. Where a Sub-processor is engaged by Rock Gym Pro as described in this Section 8, Rock Gym Pro shall:
- restrict the Sub-processor’s access to Personal Data only to what is necessary to perform the subcontracted services;
- impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA; and
- remain liable for any breach of the DPA caused by a Sub-processor.
- Cooperation and data subjects’ rights. Rock Gym Pro shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to requests from a data subject seeking to exercise their rights under EU Data Protection Legislation. In the event that such request is made directly to Rock Gym Pro, Rock Gym Pro shall promptly inform Customer of the same.
- Protection Impact Assessments. Rock Gym Pro shall, to the extent required by EU Data Protection Legislation and at Customer’s expense, taking into account the nature of the processing and the information available to Rock Gym Pro, provide Customer with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection
- Deletion / return of data
- Deletion or return of data: Upon termination or expiry of the Agreement, Rock Gym Pro shall at Customer’s election, delete or return to Customer the Personal Data (including copies) in Rock Gym Pro’s possession, save to the extent that Rock Gym Pro is required by any applicable law to retain some or all of the Personal Data.
SIGNED by the parties or their duly authorized representatives:
Vertex Climbing Center Execution:
Name: Gorden Cooley
Date: July 30, 2019
Rock Gym Pro Execution:
Name: Tod Bloxham
Date: July 30, 2019
DESCRIPTION OF PROCESSING
Nature and purposes of processing
Rock Gym Pro is a US headquartered provider of member management software. This software consists primarily of CRM type software for customer management, billing and bookings.
Otherwise, the data processing will involve any such processing that is necessary for the purposes set out in the Agreement, the DPA, or as otherwise agreed between the parties.
Categories of data subjects
The personal data transferred concerns any data subjects handled by Rock Gym pro on behalf and as instructed by the Customer using Rock Gym Pro.
Categories of data
The personal data transferred concern the following categories of data for the data subjects:
- Identification information (first and last name), contact information (address, telephone number (fixed and mobile), e-mail address, fax number), date of birth, purchase history, signed contracts; and
- Any other personal data that the Customer chooses to collect within their customer records using Rock Gym Pro’s services.
The personal data transferred to Rock Gym Pro for processing is determined and controlled by the Customer in its sole discretion. As such, Rock Gym Pro has no control over the volume and sensitivity of personal data processed through its service by the Customer.
Special categories of data (if appropriate)
Rock Gym Pro does not intentionally collect or process any special categories of data in the provision of its service.
Under the Agreement, the Customer agrees not to provide special categories of data to Rock Gym Pro at any time.
Duration of processing
The personal data will be processed for the term of the Agreement, or as otherwise required by law or agreed between the parties.
ROCK GYM PRO SECURITY MEASURES
- Network-Level Controls
- Rock Gym Pro will use host-based firewall(s) to protect hosts/infrastructure handling Personal Data. The firewall(s) must be able to effectively perform the following functions: stateful inspection, logging, support for strong encryption and hashing, ICMP and SNMP based monitoring and anti- spoofing.
- Rock Gym Pro will have network-based security monitoring for the segment(s) on which hosts handling Personal Data are logically located.
- Rock Gym Pro will assess network-level vulnerabilities and address critical vulnerabilities within 30 days. d. Rock Gym Pro will employ change management standards for network/infrastructure components handling Personal Data.
- Hosting Level Controls
- Rock Gym Pro will implement operating system hardening for hosts/infrastructure handling Personal Data. Operating system hardening includes, but is not limited to, the following configurations: strong password authentication/use of keys, inactivity time-out, disabling or removal of unused or expired accounts and services, turning off unused ports, and log management. In addition, Rock Gym Pro will implement access control processes and restrict access to operating system configurations based on the least privilege principle.
- Rock Gym Pro will perform patch management on systems that host or handle Personal Data. Rock Gym Pro will implement critical patches within vendor recommended timeframes on systems that host or handle Personal Data, not to exceed 30 days after the patch is identified.
- Rock Gym Pro will implement specific controls to log activities of users with elevated access to systems that host or handle Personal Data.
- Application-Level Controls
- Rock Gym Pro will maintain documentation on overall application architecture, process flows, and security features for applications handling Personal Data.
- Rock Gym Pro will employ secure programming guidelines and protocols in the development of applications processing or handling Personal Data.
- Rock Gym Pro will regularly perform patch management on applications that host or handle Personal Data. Rock Gym Pro will implement critical patches within vendor recommended timeframes on all applications that host or handle Personal Data, not to exceed 30 days.
- Data-Level Controls
- Rock Gym Pro will use strong encryption (TLS) for transmission of Personal Data that is considered Confidential Information. Data backups of Personal Data will be encrypted at rest and while in transit; however due to the dynamic nature of data in Rock Gym Pro’s production environment, Personal Data in Rock Gym Pro’s production databases will not be encrypted at rest.
- End User Computing Level Controls
- Rock Gym Pro will employ an end point security or antivirus solution for end user computing devices that handle Personal Data.
- Compliance Controls
- Rock Gym Pro will adopt appropriate physical, technical and organizational security measures in accordance with industry standards, including but not limited to, building access control, employee education and personnel security measures.