For the champion - the church
Trust center
Trust center
For Individuals & Champions
General
Data Protection Standards
Gloo, LLC and its affiliates and subsidiaries (collectively “Gloo”) require that its service providers, suppliers, distributors and other business partners and their employees (collectively “You” or “Service Provider”) (collectively the “Parties”) comply with the requirements set forth in these Data Protection Standards (“Standards”) with respect to any information that Gloo, Gloo employees, representatives, customers, distributors, or other business partners or other individuals make available to You in the context of Your business relationship with Gloo.
The Parties acknowledge that these Standards apply to and are incorporated by this reference into the Agreement with Service Provider if and to the extent that Service Provider is processing Personal Data under the Agreement where (i) Gloo acts as a controller and Service Provider acts as a processor for Gloo, or (ii) Gloo acts as a processor and Service Provider acts as a subprocessor for Gloo. In those cases, Gloo’s engagement of Service Provider is conditioned upon Service Provider’s agreement to the terms and conditions of these Standards. Signature to the Agreement shall constitute all necessary and required signatures to these Standards.
Processing of Personal Data
If acting as a controller of the Personal Data, Gloo is and shall remain the controller or responsible party of all information provided or made accessible by Gloo to Service Provider under the Agreement that identifies or can be used to directly or indirectly identify, describe, contact, locate, or otherwise be related to or associated with an individual or household (“Personal Data”) under applicable data privacy, data protection, and data security laws and regulations governing the Processing of Personal Data (collectively, “Applicable Data Protection Law(s)”). Gloo maintains the rights and obligations to determine the purposes for which Personal Data is processed (which includes but is not limited to, collection, recording, storage, use, access, transmission, and the means by which Personal Data may be transferred) (“Process” or “Processing”). Nothing in these Standards shall restrict or limit in any way Gloo’s rights or obligations as controller of Personal Data for such purposes.
Where Gloo is itself a processor or service provider (as applicable) of the Personal Data, Service Provider shall be a subprocessor under these Standards. Gloo shall serve as the sole point of contact for Service Provider and Service Provider shall not interact directly with (including to seek any authorizations directly from) the corresponding controller, other than through the regular provision of the Services to the extent required under the Agreement. Where Service Provider would otherwise be required to provide information, assistance, cooperation, or other notification to the controller, Service Provider shall provide it solely to Gloo.
Service Provider shall act as a processor or subprocessor (as applicable) under Applicable Data Protection Laws. As such, Service Provider shall only Process Personal Data in accordance with (i) the instructions of Gloo, (ii) as necessary to carry out the business purposes of the Agreement, in accordance with Annex A, or (iii) as otherwise authorized by Gloo in writing (“Processing Services”), and for no other purpose. For the avoidance of doubt, Service Provider will not (and will ensure that its employees, officers, contractors and agents do not): (a) retain, use, or disclose Personal Data for any purpose other than for the business purpose(s) set forth in these Standards and in accordance with written instructions from Gloo or otherwise permitted by Applicable Data Protection Laws; (b) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services to Gloo; (c) “sell” or “share” Personal Data, as defined under Applicable Data Protection Laws; (d) retain, use, or disclose Personal Data outside of the direct business relationship between Gloo and Service Provider; or (e) combine Personal Data received from or on behalf of Gloo with Personal Data received from or on behalf of any other person or collected from Service Provider’s own interaction with a consumer. The foregoing does not apply to any information that no longer qualifies as Personal Data (including Gloo Personal Data), including by application of anonymization, deidentification, or aggregation techniques that meet the requirements of Applicable Data Protection Laws.
Where an Applicable Data Protection Law requires Service Provider to Process Personal Data under terms other than those of these Standards, or other written instructions of Gloo, Service Provider shall immediately notify Gloo of such legal requirement before Processing in accordance with the legal requirement, unless the applicable law prohibits disclosure. In addition, Service Provider shall notify Gloo immediately if, in Service Provider's assessment, any of Gloo's instructions infringe applicable law, including but not limited to Applicable Data Protection Laws, or if Service Provider determines that it can no longer meet its obligations under these Standards.
Service Provider shall immediately notify Gloo in writing of any request, complaint, claim, or other communication regarding Personal Data received by Service Provider, as well as by any Subprocessors (defined below): (i) from an individual who is or claims to be the individual about whom the Personal Data relates (“Data Subject”); (ii) from any privacy/supervisory authority, law enforcement agency, or other government authority; and/or (iii) from Gloo's employees or other third parties, other than those set forth in these Standards. Unless otherwise required by applicable law, Service Provider shall obtain Gloo's express written consent before disclosing or sharing any Personal Data in response to such requests, and Service Provider shall respond to such requests only when authorized by Gloo to do so. Subject to applicable law, in the event Service Provider receives any request from a governmental authority in any jurisdiction that requires the disclosure of Personal Data to such governmental authority, Service Provider shall attempt to redirect the governmental authority to request such Personal Data directly from Gloo. Notwithstanding anything to the contrary, however, Service Provider shall also cooperate with and provide reasonable assistance to Gloo and its affiliates, agents, Subprocessors, and representatives in responding to requests, inquiries, claims, and complaints regarding the Processing of Personal Data.
In addition to the obligations set out in Section 1(e) above, Service Provider shall assist Gloo by implementing appropriate administrative, technical, and organizational security measures for responding to applicable Data Subjects' requests relating to their rights, including but not limited to requests regarding: (i) access; (ii) rectification/modification; (iii) erasure/deletion; (iv) restriction of Processing; (v) data portability; (vi) objection to Processing; and (vii) opting out of automated individual decision-making, including profiling. Gloo shall, in its sole judgment, determine whether or not a Data Subject has a right to exercise any Data Subject rights referenced above or under Applicable Data Protection Laws, and give instructions to Service Provider to the extent the assistance is required. Further, Service Provider shall assist Gloo with communicating requests to recipients of Personal Data, including but not limited to Subprocessors, and securing such parties' cooperation to address any such Data Subject rights requests.
Service Provider warrants that any persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; are bound to Process Personal Data in accordance with Gloo's instructions; and have certified that they will comply with the terms of these Standards.
Upon request, Service Provider shall provide reasonable cooperation and assistance to Gloo in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, through means, including but not limited to, providing a systemic description of the envisaged Processing, assistance with an assessment of the risks to the rights and freedoms of the relevant Data Subjects, and/or an assessment of the necessity and proportionality of the Processing in relation to the underlying purpose.
Technical and Organizational Security Measures
In addition to the technical obligations set out in Sections 1(f) and 1(h) above, Service Provider shall implement and maintain a written information security program (“Information Security Program”) that includes appropriate administrative, technical, organizational, and physical safeguards to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident or issue; and (iv) a process for regularly testing, assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing.
In addition to any specific and/or supplemental security safeguards established in the Agreement between the Parties, Service Provider's Information Security Program shall include, but not be limited to, at least the safeguards set forth in Gloo’s Security Statement, which is incorporated herein by this reference. To the extent that any specific or supplemental security safeguards in the Agreement are less stringent than the safeguards set forth in Gloo’s Security Statement, the terms of Gloo’s Security Statement shall control. Upon Gloo's reasonable request, Service Provider shall provide a copy of its written Information Security Program to Gloo as well as any third party audits or certifications establishing that it has implemented the safeguards set out in the Information Security Program.
Security Incident
Notwithstanding anything in these Standards or the Agreement to the contrary, Service Provider shall notify Gloo immediately in writing no later than 24 hours after discovering or reasonably suspecting that: (i) any Personal Data has been Processed by Service Provider (including its Subprocessors) in violation of these Standards or Applicable Data Protection Laws or other applicable law; (ii) a breach of security leading to, or that may potentially lead to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data has occurred or may be occurring; or (iii) there have been any formal complaints about the Service Provider's (including its Subprocessors') data privacy, data protection, or data security practices (collectively, “Security Incident”). Service Provider shall cooperate fully in the investigation and remediation of the Security Incident, and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Security Incident. Service Provider shall also indemnify, defend, and hold Gloo, including its affiliates and subsidiaries, harmless from and against any and all claims, suits, proceedings, damages, costs, and expenses (including, without limitation, reasonable attorneys' fees, court costs, and expert witness costs) brought against or suffered by Gloo or any third party arising out of, resulting from, or relating to, any breach by Service Provider of these Standards, including any liabilities resulting from a Security Incident.
To the extent that a Security Incident gives rise to a need, in Gloo's sole judgment to: (i) provide notification to government authorities, individuals, or other persons or third parties; or (ii) undertake other remedial measures, including, without limitation, notice, credit monitoring, or call center services (collectively, “Remedial Action”), at Gloo's request, Service Provider shall, at Service Provider's cost, undertake such Remedial Action. The timing, content, and manner of effectuating any notices shall be determined by Gloo in its sole discretion.
Subprocessors
The Parties agree that Service Provider has general authorization to utilize affiliates and subsidiaries, agents, subcontractors (subject to the terms of the Agreement), or other third parties to assist Service Provider in providing the Services (“Subprocessor(s)”) subject to the terms of this Section 4. Service Provider will provide Gloo with a current list of Subprocessors (including affiliates and subsidiaries) prior to commencing the performance of Services. Throughout the term of the Agreement, Service Provider shall inform Gloo of any intended changes concerning the addition or replacement of Subprocessors, to which changes Gloo has the right to object at its sole discretion. Service Provider shall remain at all times responsible for and fully liable to Gloo for the Subprocessors' performance of its obligations. Service Provider shall also enter into a binding written agreement with each authorized Subprocessor that imposes the same or greater obligations as Service Provider's obligations as set forth under these Standards, in particular the requirements set out in Section 3 above.Audit Rights
Service Provider shall, at no additional cost to Gloo, keep or cause to be kept full and accurate records relating to all Processing of Personal Data on behalf of Gloo as part of the Processing Services, and Gloo may request, upon ten (10) days written notice to Service Provider (unless a shorter period is required by Applicable Data Protection Laws or request by a government authority), access to Service Provider's facilities, systems, records, and supporting documentation in order to audit, itself or through an independent third-party auditor, Service Provider's compliance with its obligations under or related to these Standards. The audit may be carried out once in any calendar year, unless otherwise required by Applicable Data Protection Laws or government authority. Audits shall be subject to all applicable confidentiality obligations agreed to by Gloo and Service Provider, and shall be conducted in a manner that makes reasonable efforts to minimize any disruption of Service Provider's performance of services and other normal operations. In the event that any such audit reveals material gaps or weaknesses in Service Provider's Information Security Program and/or a violation of Service Provider’s obligations under these Standards, Gloo shall be entitled to suspend transmission of Personal Data to Service Provider and terminate Service Provider's Processing of Personal Data until such issues are resolved. Gloo may also require Service Provider to, upon request, make available to Gloo any information or certifications necessary to demonstrate compliance with the obligations set forth in these Standards.Post-Termination
Notwithstanding any other provision of the Agreement or these Standards to the contrary, when Service Provider (including any of its Subprocessors) ceases to perform Processing Services for Gloo upon termination of the Agreement or otherwise (e.g. per the request or explicit instruction of Gloo), Service Provider shall, at the choice of Gloo: (i) return Personal Data (and all media containing copies of Personal Data) to Gloo; and/or (ii) securely purge, delete, and destroy Personal Data, unless applicable law to which Service Provider is subject prevents it from returning or destroying all or part of Personal Data transferred or received under the Agreement; in such case, Service Provider shall communicate in writing the legal basis preventing it from returning or destroying Gloo's Personal Data, and warrant that it shall guarantee the confidentiality of Gloo's Personal Data and shall not actively Process Gloo’s Personal Data. Electronic media containing Personal Data shall be disposed of in a manner that renders Personal Data unrecoverable. Upon request, Service Provider shall provide Gloo with an Officer's Certificate or other proof acceptable to Gloo to certify its compliance with this provision.Entry into Processing Addendum and Additional Privacy Terms
If, and to the extent required by Applicable Data Protection Laws, the Parties agree to make all commercially reasonable efforts to make necessary amendments to these Standards, including Annex A. The Parties will agree on the necessary changes in good faith, taking into account the obligation to carry out this contractual relationship in compliance with Applicable Data Protection Laws.
Additionally, to the extent that Personal Data from the European Union (EU) or United Kingdom (UK) is to be Processed, the Parties agree to execute the EU Standard Contractual Clauses and/or the UK Addendum and all corresponding and required annexes, as applicable.Limitation of Liability
The limitations of liability set forth in the Agreement apply to a breach of these Standards.
Categories of Data Subjects to Whom the Personal Data Processed Relates
Any and all Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation Personal Data concerning the categories of Data Subjects as set forth in the Agreement.Categories of Personal Data Processed
Any and all Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation the categories of Personal Data as set forth in the Agreement.Sensitive Categories of Personal Data Processed
Any and all sensitive Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation the categories of sensitive Personal Data as set forth in the Agreement.Nature and Purposes of Processing
Personal Data will be Processed in accordance with the Agreement (including these Standards) and may be subject to the following Processing activities:Storage and other Processing necessary to provide, maintain and improve Services provided to Gloo; and/or
Disclosure in accordance with the Agreement (including these Standards).
Duration of Processing
Service Provider will process Personal Data for the duration of the Agreement unless otherwise agreed upon in writing.
Last Revised: March 16, 2023
For Individuals & Champions
General
Data Protection Standards
Gloo, LLC and its affiliates and subsidiaries (collectively “Gloo”) require that its service providers, suppliers, distributors and other business partners and their employees (collectively “You” or “Service Provider”) (collectively the “Parties”) comply with the requirements set forth in these Data Protection Standards (“Standards”) with respect to any information that Gloo, Gloo employees, representatives, customers, distributors, or other business partners or other individuals make available to You in the context of Your business relationship with Gloo.
The Parties acknowledge that these Standards apply to and are incorporated by this reference into the Agreement with Service Provider if and to the extent that Service Provider is processing Personal Data under the Agreement where (i) Gloo acts as a controller and Service Provider acts as a processor for Gloo, or (ii) Gloo acts as a processor and Service Provider acts as a subprocessor for Gloo. In those cases, Gloo’s engagement of Service Provider is conditioned upon Service Provider’s agreement to the terms and conditions of these Standards. Signature to the Agreement shall constitute all necessary and required signatures to these Standards.
Processing of Personal Data
If acting as a controller of the Personal Data, Gloo is and shall remain the controller or responsible party of all information provided or made accessible by Gloo to Service Provider under the Agreement that identifies or can be used to directly or indirectly identify, describe, contact, locate, or otherwise be related to or associated with an individual or household (“Personal Data”) under applicable data privacy, data protection, and data security laws and regulations governing the Processing of Personal Data (collectively, “Applicable Data Protection Law(s)”). Gloo maintains the rights and obligations to determine the purposes for which Personal Data is processed (which includes but is not limited to, collection, recording, storage, use, access, transmission, and the means by which Personal Data may be transferred) (“Process” or “Processing”). Nothing in these Standards shall restrict or limit in any way Gloo’s rights or obligations as controller of Personal Data for such purposes.
Where Gloo is itself a processor or service provider (as applicable) of the Personal Data, Service Provider shall be a subprocessor under these Standards. Gloo shall serve as the sole point of contact for Service Provider and Service Provider shall not interact directly with (including to seek any authorizations directly from) the corresponding controller, other than through the regular provision of the Services to the extent required under the Agreement. Where Service Provider would otherwise be required to provide information, assistance, cooperation, or other notification to the controller, Service Provider shall provide it solely to Gloo.
Service Provider shall act as a processor or subprocessor (as applicable) under Applicable Data Protection Laws. As such, Service Provider shall only Process Personal Data in accordance with (i) the instructions of Gloo, (ii) as necessary to carry out the business purposes of the Agreement, in accordance with Annex A, or (iii) as otherwise authorized by Gloo in writing (“Processing Services”), and for no other purpose. For the avoidance of doubt, Service Provider will not (and will ensure that its employees, officers, contractors and agents do not): (a) retain, use, or disclose Personal Data for any purpose other than for the business purpose(s) set forth in these Standards and in accordance with written instructions from Gloo or otherwise permitted by Applicable Data Protection Laws; (b) retain, use, or disclose Personal Data for a commercial purpose other than providing the Services to Gloo; (c) “sell” or “share” Personal Data, as defined under Applicable Data Protection Laws; (d) retain, use, or disclose Personal Data outside of the direct business relationship between Gloo and Service Provider; or (e) combine Personal Data received from or on behalf of Gloo with Personal Data received from or on behalf of any other person or collected from Service Provider’s own interaction with a consumer. The foregoing does not apply to any information that no longer qualifies as Personal Data (including Gloo Personal Data), including by application of anonymization, deidentification, or aggregation techniques that meet the requirements of Applicable Data Protection Laws.
Where an Applicable Data Protection Law requires Service Provider to Process Personal Data under terms other than those of these Standards, or other written instructions of Gloo, Service Provider shall immediately notify Gloo of such legal requirement before Processing in accordance with the legal requirement, unless the applicable law prohibits disclosure. In addition, Service Provider shall notify Gloo immediately if, in Service Provider's assessment, any of Gloo's instructions infringe applicable law, including but not limited to Applicable Data Protection Laws, or if Service Provider determines that it can no longer meet its obligations under these Standards.
Service Provider shall immediately notify Gloo in writing of any request, complaint, claim, or other communication regarding Personal Data received by Service Provider, as well as by any Subprocessors (defined below): (i) from an individual who is or claims to be the individual about whom the Personal Data relates (“Data Subject”); (ii) from any privacy/supervisory authority, law enforcement agency, or other government authority; and/or (iii) from Gloo's employees or other third parties, other than those set forth in these Standards. Unless otherwise required by applicable law, Service Provider shall obtain Gloo's express written consent before disclosing or sharing any Personal Data in response to such requests, and Service Provider shall respond to such requests only when authorized by Gloo to do so. Subject to applicable law, in the event Service Provider receives any request from a governmental authority in any jurisdiction that requires the disclosure of Personal Data to such governmental authority, Service Provider shall attempt to redirect the governmental authority to request such Personal Data directly from Gloo. Notwithstanding anything to the contrary, however, Service Provider shall also cooperate with and provide reasonable assistance to Gloo and its affiliates, agents, Subprocessors, and representatives in responding to requests, inquiries, claims, and complaints regarding the Processing of Personal Data.
In addition to the obligations set out in Section 1(e) above, Service Provider shall assist Gloo by implementing appropriate administrative, technical, and organizational security measures for responding to applicable Data Subjects' requests relating to their rights, including but not limited to requests regarding: (i) access; (ii) rectification/modification; (iii) erasure/deletion; (iv) restriction of Processing; (v) data portability; (vi) objection to Processing; and (vii) opting out of automated individual decision-making, including profiling. Gloo shall, in its sole judgment, determine whether or not a Data Subject has a right to exercise any Data Subject rights referenced above or under Applicable Data Protection Laws, and give instructions to Service Provider to the extent the assistance is required. Further, Service Provider shall assist Gloo with communicating requests to recipients of Personal Data, including but not limited to Subprocessors, and securing such parties' cooperation to address any such Data Subject rights requests.
Service Provider warrants that any persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; are bound to Process Personal Data in accordance with Gloo's instructions; and have certified that they will comply with the terms of these Standards.
Upon request, Service Provider shall provide reasonable cooperation and assistance to Gloo in ensuring compliance with data security obligations, as well as in carrying out any data protection impact assessment or similar activity, through means, including but not limited to, providing a systemic description of the envisaged Processing, assistance with an assessment of the risks to the rights and freedoms of the relevant Data Subjects, and/or an assessment of the necessity and proportionality of the Processing in relation to the underlying purpose.
Technical and Organizational Security Measures
In addition to the technical obligations set out in Sections 1(f) and 1(h) above, Service Provider shall implement and maintain a written information security program (“Information Security Program”) that includes appropriate administrative, technical, organizational, and physical safeguards to protect Personal Data, including, as appropriate: (i) the pseudonymization and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems and services, including against unauthorized access, use, disclosure, alteration, or destruction of Personal Data; (iii) the ability to timely restore the availability and access to the Personal Data in the event of a physical or technical incident or issue; and (iv) a process for regularly testing, assessing, and evaluating the effectiveness of the administrative, technical, organizational, and physical measures for ensuring the security of the Processing.
In addition to any specific and/or supplemental security safeguards established in the Agreement between the Parties, Service Provider's Information Security Program shall include, but not be limited to, at least the safeguards set forth in Gloo’s Security Statement, which is incorporated herein by this reference. To the extent that any specific or supplemental security safeguards in the Agreement are less stringent than the safeguards set forth in Gloo’s Security Statement, the terms of Gloo’s Security Statement shall control. Upon Gloo's reasonable request, Service Provider shall provide a copy of its written Information Security Program to Gloo as well as any third party audits or certifications establishing that it has implemented the safeguards set out in the Information Security Program.
Security Incident
Notwithstanding anything in these Standards or the Agreement to the contrary, Service Provider shall notify Gloo immediately in writing no later than 24 hours after discovering or reasonably suspecting that: (i) any Personal Data has been Processed by Service Provider (including its Subprocessors) in violation of these Standards or Applicable Data Protection Laws or other applicable law; (ii) a breach of security leading to, or that may potentially lead to, the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data has occurred or may be occurring; or (iii) there have been any formal complaints about the Service Provider's (including its Subprocessors') data privacy, data protection, or data security practices (collectively, “Security Incident”). Service Provider shall cooperate fully in the investigation and remediation of the Security Incident, and take reasonable measures to limit further unauthorized disclosure or Processing of Personal Data in connection with the Security Incident. Service Provider shall also indemnify, defend, and hold Gloo, including its affiliates and subsidiaries, harmless from and against any and all claims, suits, proceedings, damages, costs, and expenses (including, without limitation, reasonable attorneys' fees, court costs, and expert witness costs) brought against or suffered by Gloo or any third party arising out of, resulting from, or relating to, any breach by Service Provider of these Standards, including any liabilities resulting from a Security Incident.
To the extent that a Security Incident gives rise to a need, in Gloo's sole judgment to: (i) provide notification to government authorities, individuals, or other persons or third parties; or (ii) undertake other remedial measures, including, without limitation, notice, credit monitoring, or call center services (collectively, “Remedial Action”), at Gloo's request, Service Provider shall, at Service Provider's cost, undertake such Remedial Action. The timing, content, and manner of effectuating any notices shall be determined by Gloo in its sole discretion.
Subprocessors
The Parties agree that Service Provider has general authorization to utilize affiliates and subsidiaries, agents, subcontractors (subject to the terms of the Agreement), or other third parties to assist Service Provider in providing the Services (“Subprocessor(s)”) subject to the terms of this Section 4. Service Provider will provide Gloo with a current list of Subprocessors (including affiliates and subsidiaries) prior to commencing the performance of Services. Throughout the term of the Agreement, Service Provider shall inform Gloo of any intended changes concerning the addition or replacement of Subprocessors, to which changes Gloo has the right to object at its sole discretion. Service Provider shall remain at all times responsible for and fully liable to Gloo for the Subprocessors' performance of its obligations. Service Provider shall also enter into a binding written agreement with each authorized Subprocessor that imposes the same or greater obligations as Service Provider's obligations as set forth under these Standards, in particular the requirements set out in Section 3 above.Audit Rights
Service Provider shall, at no additional cost to Gloo, keep or cause to be kept full and accurate records relating to all Processing of Personal Data on behalf of Gloo as part of the Processing Services, and Gloo may request, upon ten (10) days written notice to Service Provider (unless a shorter period is required by Applicable Data Protection Laws or request by a government authority), access to Service Provider's facilities, systems, records, and supporting documentation in order to audit, itself or through an independent third-party auditor, Service Provider's compliance with its obligations under or related to these Standards. The audit may be carried out once in any calendar year, unless otherwise required by Applicable Data Protection Laws or government authority. Audits shall be subject to all applicable confidentiality obligations agreed to by Gloo and Service Provider, and shall be conducted in a manner that makes reasonable efforts to minimize any disruption of Service Provider's performance of services and other normal operations. In the event that any such audit reveals material gaps or weaknesses in Service Provider's Information Security Program and/or a violation of Service Provider’s obligations under these Standards, Gloo shall be entitled to suspend transmission of Personal Data to Service Provider and terminate Service Provider's Processing of Personal Data until such issues are resolved. Gloo may also require Service Provider to, upon request, make available to Gloo any information or certifications necessary to demonstrate compliance with the obligations set forth in these Standards.Post-Termination
Notwithstanding any other provision of the Agreement or these Standards to the contrary, when Service Provider (including any of its Subprocessors) ceases to perform Processing Services for Gloo upon termination of the Agreement or otherwise (e.g. per the request or explicit instruction of Gloo), Service Provider shall, at the choice of Gloo: (i) return Personal Data (and all media containing copies of Personal Data) to Gloo; and/or (ii) securely purge, delete, and destroy Personal Data, unless applicable law to which Service Provider is subject prevents it from returning or destroying all or part of Personal Data transferred or received under the Agreement; in such case, Service Provider shall communicate in writing the legal basis preventing it from returning or destroying Gloo's Personal Data, and warrant that it shall guarantee the confidentiality of Gloo's Personal Data and shall not actively Process Gloo’s Personal Data. Electronic media containing Personal Data shall be disposed of in a manner that renders Personal Data unrecoverable. Upon request, Service Provider shall provide Gloo with an Officer's Certificate or other proof acceptable to Gloo to certify its compliance with this provision.Entry into Processing Addendum and Additional Privacy Terms
If, and to the extent required by Applicable Data Protection Laws, the Parties agree to make all commercially reasonable efforts to make necessary amendments to these Standards, including Annex A. The Parties will agree on the necessary changes in good faith, taking into account the obligation to carry out this contractual relationship in compliance with Applicable Data Protection Laws.
Additionally, to the extent that Personal Data from the European Union (EU) or United Kingdom (UK) is to be Processed, the Parties agree to execute the EU Standard Contractual Clauses and/or the UK Addendum and all corresponding and required annexes, as applicable.Limitation of Liability
The limitations of liability set forth in the Agreement apply to a breach of these Standards.
Categories of Data Subjects to Whom the Personal Data Processed Relates
Any and all Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation Personal Data concerning the categories of Data Subjects as set forth in the Agreement.Categories of Personal Data Processed
Any and all Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation the categories of Personal Data as set forth in the Agreement.Sensitive Categories of Personal Data Processed
Any and all sensitive Personal Data provided by Gloo to Service Provider or accessed by Service Provider in performing the Services, including without limitation the categories of sensitive Personal Data as set forth in the Agreement.Nature and Purposes of Processing
Personal Data will be Processed in accordance with the Agreement (including these Standards) and may be subject to the following Processing activities:Storage and other Processing necessary to provide, maintain and improve Services provided to Gloo; and/or
Disclosure in accordance with the Agreement (including these Standards).
Duration of Processing
Service Provider will process Personal Data for the duration of the Agreement unless otherwise agreed upon in writing.
Last Revised: March 16, 2023
Data Privacy FAQ
Data Privacy FAQ
Gloo was founded to bring the best possible data and technology to churches, charities, and community service organizations that help people grow. Gloo is committed to maintaining the privacy and security of your data. Below are a few frequently asked questions and our responses about our privacy practices. Further information regarding our privacy practices is set out in our Privacy Statement.
What Services does Gloo provide?
We offer a variety of products, services, mobile applications, and software offerings (collectively, the “Services”) that help organizations know and understand their members, prospective members, and communities; connect organizations and individuals to one another; and measure their impact as they help people on their journey towards growth. As part of providing the Services, we collect and receive information in a variety of ways, including information on our websites and applications, from our organizational customers and/or prospective customers, from individuals that use the Services as well as other third parties described below.To whom does Gloo offer its Services?
Gloo offers Services to organizations that support personal growth, including churches, charities, addiction recovery institutions, and community service organizations (we may refer to these organizations as Champions). We are open to all organizations whose principles align with our Services Acceptable Use Policy. We do not unlawfully discriminate against any religions, churches, or other organizations.
We also offer Services to individuals who are interested in connecting with the organizations we work with.How does Gloo collect and use personal information?
As we explain in our Privacy Statement, we use personal information about individuals to provide our Services. We may collect the following data:When individuals visit our website or sign up for our Services, we receive data from these individuals themselves. We do not disclose this data in identifiable form with others, except at the request or direction of the individual, such as when individuals ask us to connect them with churches or other organizations who can help them or in the limited circumstances described in our Privacy Statement (e.g., to service providers).
When a church or other organization engages us as a service provider, we process personal information the organization provides to us on the organization’s behalf, such as to create surveys and social media outreach campaigns for those organizations at the explicit instruction of the organization.
We also license personal information from data providers. We use this data to provide insights and related Services to our customers. Gloo does not seek to receive names and contact information of data subjects provided by data providers. However, if a data provider were to include names or contact information, we remove this identifying information. In any event, we do not share such information in identifiable form with customers or other organizations.
What information does Gloo receive from and about Gloo Customers?
We receive information from data partners about our customers, including contact information about individuals who work for those organizations (e.g., pastors). We use this information for market research, product development, and marketing in accordance with applicable laws as further described in our Privacy Statement.Is Gloo a data broker?
No. Gloo does not “sell” a consumer’s personal information to third parties as defined by applicable law and/or engage in activities that meet the definition of “data” broker.How does Gloo safeguard Gloo Services?
As set out in our Services Acceptable Use Policy, we contractually prohibit recipients of our Services from using our Services (a) for any illegal purposes, (b) to promote hate speech or incite violence, (c) to create a risk to a person’s health or safety, (d) for the advancement of political parties or election campaigns, (e) for anything malicious, fraudulent, harassing or threatening, or (f) for any covert, misleading or unfair communications, including, without limitation, any advertisements or social media campaigns that fail to identify the organization that controls or pays for the communication.What does Gloo do to maintain the privacy of personal information?
We may handle sensitive information, including information on faith, religion, family, health, and finances. Gloo has taken measures to mitigate privacy risks with data security and data privacy protection mechanisms including the following:We limit data access within our company to those individuals who have a need to access data.
We implement the measures described in our Security Statement.
We limit the personal information that we share, as described under this Section.
We restrict what our customers may do with the Services and personal information, as set forth in our terms of service, Privacy Statement, and acceptable use policy (see our answers to Questions 3 and 6).
If you have any further questions, please contact us at: privacy@gloo.us.
Last Revised: March 16, 2023
Data Privacy FAQ
Data Privacy FAQ
Gloo was founded to bring the best possible data and technology to churches, charities, and community service organizations that help people grow. Gloo is committed to maintaining the privacy and security of your data. Below are a few frequently asked questions and our responses about our privacy practices. Further information regarding our privacy practices is set out in our Privacy Statement.
What Services does Gloo provide?
We offer a variety of products, services, mobile applications, and software offerings (collectively, the “Services”) that help organizations know and understand their members, prospective members, and communities; connect organizations and individuals to one another; and measure their impact as they help people on their journey towards growth. As part of providing the Services, we collect and receive information in a variety of ways, including information on our websites and applications, from our organizational customers and/or prospective customers, from individuals that use the Services as well as other third parties described below.To whom does Gloo offer its Services?
Gloo offers Services to organizations that support personal growth, including churches, charities, addiction recovery institutions, and community service organizations (we may refer to these organizations as Champions). We are open to all organizations whose principles align with our Services Acceptable Use Policy. We do not unlawfully discriminate against any religions, churches, or other organizations.
We also offer Services to individuals who are interested in connecting with the organizations we work with.How does Gloo collect and use personal information?
As we explain in our Privacy Statement, we use personal information about individuals to provide our Services. We may collect the following data:When individuals visit our website or sign up for our Services, we receive data from these individuals themselves. We do not disclose this data in identifiable form with others, except at the request or direction of the individual, such as when individuals ask us to connect them with churches or other organizations who can help them or in the limited circumstances described in our Privacy Statement (e.g., to service providers).
When a church or other organization engages us as a service provider, we process personal information the organization provides to us on the organization’s behalf, such as to create surveys and social media outreach campaigns for those organizations at the explicit instruction of the organization.
We also license personal information from data providers. We use this data to provide insights and related Services to our customers. Gloo does not seek to receive names and contact information of data subjects provided by data providers. However, if a data provider were to include names or contact information, we remove this identifying information. In any event, we do not share such information in identifiable form with customers or other organizations.
What information does Gloo receive from and about Gloo Customers?
We receive information from data partners about our customers, including contact information about individuals who work for those organizations (e.g., pastors). We use this information for market research, product development, and marketing in accordance with applicable laws as further described in our Privacy Statement.Is Gloo a data broker?
No. Gloo does not “sell” a consumer’s personal information to third parties as defined by applicable law and/or engage in activities that meet the definition of “data” broker.How does Gloo safeguard Gloo Services?
As set out in our Services Acceptable Use Policy, we contractually prohibit recipients of our Services from using our Services (a) for any illegal purposes, (b) to promote hate speech or incite violence, (c) to create a risk to a person’s health or safety, (d) for the advancement of political parties or election campaigns, (e) for anything malicious, fraudulent, harassing or threatening, or (f) for any covert, misleading or unfair communications, including, without limitation, any advertisements or social media campaigns that fail to identify the organization that controls or pays for the communication.What does Gloo do to maintain the privacy of personal information?
We may handle sensitive information, including information on faith, religion, family, health, and finances. Gloo has taken measures to mitigate privacy risks with data security and data privacy protection mechanisms including the following:We limit data access within our company to those individuals who have a need to access data.
We implement the measures described in our Security Statement.
We limit the personal information that we share, as described under this Section.
We restrict what our customers may do with the Services and personal information, as set forth in our terms of service, Privacy Statement, and acceptable use policy (see our answers to Questions 3 and 6).
If you have any further questions, please contact us at: privacy@gloo.us.
Last Revised: March 16, 2023